cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

DKIM behind Separate MTA

Robert Bollinger
Iron Contributor

‎Jun 28 2019 12:35 PM

‎Jun 28 2019 12:35 PM

DKIM behind Separate MTA

Hey Guys, 

 

Quick Question here on DKIM. I want to get it setup and running and plan on using Office 365 to do the signing etc with. However my question is this we have an edge MTA where all messages are sent from our office 365 tenant. 

 

Near as i can guess, that shouldn't be a problem but i wanted to check with you guys first so see if you thought enabling DKIM on office 365 and then having outbound messages sent via en edge device (Proofpoint) would cause any Signature problems. 

 

The proofpoint MTA does show as an extra hop. 

 

Thanks, 

 

Robert 

Labels:
2,103 Views
2 Likes
5 Replies
Reply
5 Replies
Christopher Hoard

‎Jun 28 2019 12:53 PM

‎Jun 28 2019 12:53 PM

Re: DKIM behind Separate MTA

Hi @Robert Bollinger

Just to ask - does your MTA handle inbound too and is your MX pointed towards it?

If so, you would typically setup DKIM there, on ProofPoint, as opposed to EOP.

Hope that helps!

Best, Chris
1 Like
Reply
Robert Bollinger

‎Jun 28 2019 12:56 PM

‎Jun 28 2019 12:56 PM

Re: DKIM behind Separate MTA

@Christopher Hoard 

 

Yes it does. and our MX records point it as well. 

 

Robert 

2 Likes
Reply
Christopher Hoard

‎Jun 28 2019 12:59 PM

‎Jun 28 2019 12:59 PM

Re: DKIM behind Separate MTA

Thanks Robert,

I’m that case the recommended course of action would be to have SPF, DKIM and DMARC all set up with ProofPoint as opposed to EOP, being your smarthost

This is done regularly in the UK with several other well known brands. I can’t mention them specifically due to house rules but they would be competitors!

Hope that answers your question!

Best, Chris
1 Like
Reply
Robert Bollinger

‎Jun 28 2019 01:07 PM

‎Jun 28 2019 01:07 PM

Re: DKIM behind Separate MTA

@Christopher Hoard 

 

Do you know of any Microsoft documentation whcih specific covers setting up DKIM (office 365) behind another MTA? 

 

as long as proofpoint doesn't modify the body hash, subject etc or other signed portions of the messages then i don't see how it would be a problem. 

 

I agree with you in principal that we should have Proofpoint do the signing as its the last hop but that isn't always possible. 

 

Thanks, 

 

Robert 

 

2 Likes
Reply
best response confirmed by Robert Bollinger (Iron Contributor)
Christopher Hoard

‎Jun 28 2019 01:21 PM

‎Jun 28 2019 01:21 PM

Solution

Re: DKIM behind Separate MTA

No worries!

I can’t find it personally, here’s how to setup DKIM

https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email

Here’s also an account of what happens when you do (as instructed by ProofPoint)

https://www.google.co.uk/amp/s/amp.reddit.com/r/msp/comments/bn5zld/proofpoint_with_office_365_spf_r...

So they do say it’s possible and pass through if you follow the 365 guide, but has some caveats.

I would personally spin up a test domain and a mailbox to simulate it.

Hope that helps

Best, Chris
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Robert Bollinger (Iron Contributor)
Christopher Hoard

‎Jun 28 2019 01:21 PM

‎Jun 28 2019 01:21 PM

Solution

Re: DKIM behind Separate MTA

No worries!

I can’t find it personally, here’s how to setup DKIM

https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email

Here’s also an account of what happens when you do (as instructed by ProofPoint)

https://www.google.co.uk/amp/s/amp.reddit.com/r/msp/comments/bn5zld/proofpoint_with_office_365_spf_r...

So they do say it’s possible and pass through if you follow the 365 guide, but has some caveats.

I would personally spin up a test domain and a mailbox to simulate it.

Hope that helps

Best, Chris

View solution in original post

1 Like
Reply