DKIM for O365 Relay (On-premise SMTP server)

Brass Contributor

Good afternoon - I have enabled DKIM on one of the domains in O365/EXO and published required Cname records in DNS.   

I have a relay connector setup through Office 365 that our on-premise SMTP Server (Exchange 2013) uses to send invoices to customers.  


When an email goes out directly from O365 to internet (Mailbox hosted in Exchange Online), DKIM gets applied on that email. However, when an email get relayed via on-premise SMTP (Application relay email) to O365 and then to internet, only O365 to internet hop gets DKIM applied. No DKIM stamp applied on on-premise realy (via SMTP) to O365 hop.  Due to this, the recipient system see two authentication results one DKIM pass (O365 to Internet), the second one is DKIM failure (One-premise to O365 relay).


Is there anything I may be missing to get DKIM to apply to these relayed messages?




7 Replies

What a USELESS response.  Your link does NOT address the OP's question.

That shouldnt matter. The DKIM results from on=prem to 365 shouldnt show a failure, they should show as dkim=none since DKIM is not enabled for the on-prem servers. External recipient systems shouldnt be looking at that regardless.


Hello Mohan,

I have the same situation, what did you end up doing?

Replying to old topic...


Walked into this also, but my guess is that this is normal behaviour. You allready validated the recipient by creating a reveive connector for. Thus DKIM not applied.


Try relaying to a mail partner (external recipient). My guess is that DKIM applies to that one !

@Jan Anne Bijlsma 

You're right.
On-Prem Exchange SMTP relay to O365 DKIM=none

On-Prem Exchange SMTP relay to External such as gmail DKIM=pass


My issue, is ExchangeOnlineProtection is marking On-Prem to O365 as SPAM (5). I figured that by adding DKIM the spam rating would likely reduce.

Not wanting to whitelist the on-prem exchange server for the SPAM filter, I'll look at switching from anonymous relay to authenticated to try and lower the spam confidence level...

did you ever find a workaround to O365 DKIM=none?