SOLVED
Home

DKIM with Office365 Confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-225766%22%20slang%3D%22en-US%22%3EDKIM%20with%20Office365%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225766%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20some%20confusion%20on%20implementing%20DKIM%2FDMARC%20on%20our%20tenant.%20If%20I%20understand%20this%20article%20(%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2FSecurityCompliance%2Fuse-dkim-to-validate-outbound-email%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2FSecurityCompliance%2Fuse-dkim-to-validate-outbound-email%3C%2FA%3E%3C%2FFONT%3E)%20correctly%3B%20DKIM%20is%20enabled%20by%20default%20and%20only%20need%20to%20be%20address%20if%20you%20have%20multiple%20custom%20domains%2C%20use%20DMARC%20(recommended)%2C%20want%20to%20change%20the%20CNAME%2C%20control%20the%20Private%20Key%2C%20or%20use%20a%203rd%20Party.%26nbsp%3B%20The%20later%20three%20I%20do%20not%20care%20about.%26nbsp%3B%20Its%20the%20first%20two.%26nbsp%3B%20However%2C%20we%20have%20several%20custom%20domains%20and%20DKIM%20appears%20to%20be%20working%20per%20the%20message%20headers.%26nbsp%3B%20(DKIM%20Signature%20shows%20pass%20and%20the%20expected%20details).%26nbsp%3B%20Also%20under%20Protection%20in%20EOP%2C%20DKIM%20is%20not%20enabled.%20Again%2C%20I%20assume%20that%20is%20expected.%26nbsp%3B%20So%20that%20is%20the%20first%20confusion.%20If%20it%20is%20working%20with%20multiple%20custom%20domains%2C%20then%20why%20is%20that%20the%20first%20reason%20listed%20on%20that%20page%3F%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3ENext%2C%20it%20mentions%20setting%20up%20a%20custom%20DKIM%20is%20recommended%20with%20DMARC.%20I%20want%20to%20enable%20this%20to%20reduce%20the%20phishing%20and%20spoofing%20we%20receive.%20Why%20is%20it%20recommended%3F%20There%20are%20no%20details%20on%20that.%20Since%20DKIM%20is%20working%20on%20our%20custom%20domains%2C%20can%20I%20simply%20skip%20that%20and%20setup%20DMARC%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-225766%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226308%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20with%20Office365%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226308%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Adam.%20You%20helped%20clarified%20the%20issues.%20Much%20appreciated.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226204%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20with%20Office365%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226204%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Jeff%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHopefully%20I%20can%20help%20with%20atleast%20some%20of%20your%20questions!%3CBR%20%2F%3E%3CBR%20%2F%3EDKIM%20is%20configured%20for%20your%20custom%20domains%20as%20well%20by%20default%2C%20but%20it%20is%20just%20down%20automatically%20by%20Office%20365.%26nbsp%3BMicrosoft%20originally%20sets%20up%20DKIM%20on%20your%20.onmicrosoft%20domain%2C%20and%20that%20can%20cause%20issues%20on%20custom%20domains%20if%20you%20are%20using%20DMARC%2C%20or%20are%20delivering%20to%20an%20email%20system%20that%20scrutinizes%20more.%20(more%20on%20this%20below)%26nbsp%3BSo%20i%20would%20expect%20the%20headers%20to%20show%20it%20working%2C%20and%20if%20you%20are%20just%20wanting%20to%20make%20sure%20its%20on%2C%20then%20yes%20you%20are%20good.%20So%20hopefully%20that%20helps%20address%20your%20first%20confusion.%20It%20is%20working%20because%20O365%20does%20that%20by%20default%2C%20but%20its%20just%20an%20automated%20one%20they%20do%20for%20you.%20If%20you%20wanted%20to%20control%20it%20more%2C%20or%20have%20the%20same%20type%20signature%20for%203%20domains%2C%20you%20would%20need%20to%20control%2Fcustomize%20it.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EEOP%20is%20for%20inbound%20mail%2C%20not%20outbound.%20So%20DKIM%20turned%20off%20in%20EOP%20just%20means%20you%20are%20not%20checking%20all%20the%20messages%20inbound%20to%20make%20sure%20they%20have%20DKIM%20going.%20I%20would%20recommend%20this%20unless%20you%20start%20to%20get%20allot%20of%20fake%20mail%20from%20others%2C%20as%20many%20older%2Fstand%20alone%20email%20systems%20are%20not%20using%20DKIM%2C%20and%20you%20will%20start%20blocking%20what%20is%20likely%20legitimate%20mail%20that%20is%20just%20not%20utilizing%20DKIM.%3CBR%20%2F%3E%3CBR%20%2F%3EFinally%20i%20have%20always%20recommended%20controlling%20your%20own%20DKIM%20if%20you%20are%20going%20to%20DMARC%20just%20because%20you%20are%20then%20in%20control%20of%20it.%20I%20have%20always%20looked%20at%20it%20as%20a%20step%20up%20process.%26nbsp%3B%3CBR%20%2F%3E1.%20SPF%20-%20says%20an%20email%20should%20come%20form%20this%20domain%20in%20DNS%3CBR%20%2F%3E2.%20DKIM%20-%20says%20an%20email%20did%20come%20from%20a%20system%20(via%20a%20signature%20on%20the%20email%20itself)%3CBR%20%2F%3E3.%20DMARC%20-%20Owns%20the%20two%20above%20in%20one%20package%2C%20and%20provides%20clear%20instructions%20on%20how%20to%20handle%20it%3CBR%20%2F%3E%3CBR%20%2F%3EDMARC%20takes%20SPF%20and%20DKIM%20a%20step%20further%2C%20adding%20a%20linkage%20to%20not%20only%20your%20company%2C%20but%20clear%20policies%20about%20how%20to%20handle%20the%20message%2C%20and%20messages%20from%20your%20domain.%20IE%20-%20Delete%20anything%20that%20doesn't%20pass%20those%20hurdles.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20you%20have%20DMARC%20you%20are%20basically%20taking%20everything%20as%20far%20as%20you%20can%20by%20not%20only%20defining%20where%20it%20should%20be%20coming%20from%2C%20and%20singing%20the%20messages%20leaving%20your%20email%20system%2C%20but%20also%20providing%20instructions%20on%20how%20to%20handle%20the%20message%2C%20or%20any%20failures.%20Its%20a%20more%20complete%20package.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20recommend%20the%20custom%20DKIM%20as%20then%20you%20are%20controlling%20the%20signature%20and%20not%20some%20third%20party%2C%20which%20means%20you%20know%20exactly%20what%20it%20is%20and%20it%20could%20match%20your%20own%20security%20policies.%20It%20also%20solves%20the%20fact%20that%20Microsoft%20users%20.onmicrosoft%20domain%20first%2Fas%20the%20default.%20You%20have%20issues%26nbsp%3B%3CSPAN%3Ebecause%20the%20default%20DKIM%20configuration%20uses%20your%20initial%20onmicrosoft.com%20domain%20as%20the%205322.From%20address%2C%20not%20your%20custom%20domain.%20This%20forces%20a%20mismatch%20between%20the%205321.MailFrom%20and%20the%205322.From%20addresses%20in%20all%20email%20sent%20from%20your%20domain.%20So%20if%20you%26nbsp%3B%20setup%20a%20custom%20one%2C%20you%20dont%20have%20that%20mismatch.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20have%20to%20do%20that%20to%20do%20DMARC%3F%20No%2C%20but%20you%20could%20have%20problems%20without%20it.%3CBR%20%2F%3EDo%20you%20have%20to%20do%20DMARC%3F%20No%2C%20but%20if%20you%20are%20having%20a%20spoofing%20problem%20i%20would%20for%20sure%20recommend%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-615022%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20with%20Office365%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-615022%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F603%22%20target%3D%22_blank%22%3E%40Adam%20Ochs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Adam%2C%3C%2FP%3E%3CP%3EDKIM%20Settings%20within%20EOP%20are%20for%20Outbound%20-%20not%20Inbound.%20If%20you%20enable%20the%20setting%20messages%20from%20EOP%20will%20be%20added%20a%20DKIM%20Signature.%20If%20you%20want%20to%20check%20the%20DKIM%20for%20Inbound%20messages%20you%20need%20to%20create%20a%20transport%20rule%20for%20that.%3C%2FP%3E%3CP%3EBTW%3A%20EOP%20is%20for%20Outbound%20also%20-%20SPAM%20Check%20and%20Antimalware%2FAntivirus-Checks%20will%20be%20done%20for%20Outbound%20messages%20also.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

I have some confusion on implementing DKIM/DMARC on our tenant. If I understand this article (https://docs.microsoft.com/en-us/office365/SecurityCompliance/use-dkim-to-validate-outbound-email) correctly; DKIM is enabled by default and only need to be address if you have multiple custom domains, use DMARC (recommended), want to change the CNAME, control the Private Key, or use a 3rd Party.  The later three I do not care about.  Its the first two.  However, we have several custom domains and DKIM appears to be working per the message headers.  (DKIM Signature shows pass and the expected details).  Also under Protection in EOP, DKIM is not enabled. Again, I assume that is expected.  So that is the first confusion. If it is working with multiple custom domains, then why is that the first reason listed on that page?    

Next, it mentions setting up a custom DKIM is recommended with DMARC. I want to enable this to reduce the phishing and spoofing we receive. Why is it recommended? There are no details on that. Since DKIM is working on our custom domains, can I simply skip that and setup DMARC? 

 

Thank you. 

3 Replies
Highlighted
Solution

Hey Jeff,

Hopefully I can help with atleast some of your questions!

DKIM is configured for your custom domains as well by default, but it is just down automatically by Office 365. Microsoft originally sets up DKIM on your .onmicrosoft domain, and that can cause issues on custom domains if you are using DMARC, or are delivering to an email system that scrutinizes more. (more on this below) So i would expect the headers to show it working, and if you are just wanting to make sure its on, then yes you are good. So hopefully that helps address your first confusion. It is working because O365 does that by default, but its just an automated one they do for you. If you wanted to control it more, or have the same type signature for 3 domains, you would need to control/customize it. 

EOP is for inbound mail, not outbound. So DKIM turned off in EOP just means you are not checking all the messages inbound to make sure they have DKIM going. I would recommend this unless you start to get allot of fake mail from others, as many older/stand alone email systems are not using DKIM, and you will start blocking what is likely legitimate mail that is just not utilizing DKIM.

Finally i have always recommended controlling your own DKIM if you are going to DMARC just because you are then in control of it. I have always looked at it as a step up process. 
1. SPF - says an email should come form this domain in DNS
2. DKIM - says an email did come from a system (via a signature on the email itself)
3. DMARC - Owns the two above in one package, and provides clear instructions on how to handle it

DMARC takes SPF and DKIM a step further, adding a linkage to not only your company, but clear policies about how to handle the message, and messages from your domain. IE - Delete anything that doesn't pass those hurdles.

So if you have DMARC you are basically taking everything as far as you can by not only defining where it should be coming from, and singing the messages leaving your email system, but also providing instructions on how to handle the message, or any failures. Its a more complete package. 

I recommend the custom DKIM as then you are controlling the signature and not some third party, which means you know exactly what it is and it could match your own security policies. It also solves the fact that Microsoft users .onmicrosoft domain first/as the default. You have issues because the default DKIM configuration uses your initial onmicrosoft.com domain as the 5322.From address, not your custom domain. This forces a mismatch between the 5321.MailFrom and the 5322.From addresses in all email sent from your domain. So if you  setup a custom one, you dont have that mismatch.

Do you have to do that to do DMARC? No, but you could have problems without it.
Do you have to do DMARC? No, but if you are having a spoofing problem i would for sure recommend it!

Highlighted

Thank you Adam. You helped clarified the issues. Much appreciated. 

 

Highlighted

@Adam Ochs 

Hi Adam,

DKIM Settings within EOP are for Outbound - not Inbound. If you enable the setting messages from EOP will be added a DKIM Signature. If you want to check the DKIM for Inbound messages you need to create a transport rule for that.

BTW: EOP is for Outbound also - SPAM Check and Antimalware/Antivirus-Checks will be done for Outbound messages also.