SOLVED

DKIM behind Separate MTA

%3CLINGO-SUB%20id%3D%22lingo-sub-729045%22%20slang%3D%22en-US%22%3EDKIM%20behind%20Separate%20MTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-729045%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuick%20Question%20here%20on%20DKIM.%20I%20want%20to%20get%20it%20setup%20and%20running%20and%20plan%20on%20using%20Office%20365%20to%20do%20the%20signing%20etc%20with.%20However%20my%20question%20is%20this%20we%20have%20an%20edge%20MTA%20where%20all%20messages%20are%20sent%20from%20our%20office%20365%20tenant.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENear%20as%20i%20can%20guess%2C%20that%20shouldn't%20be%20a%20problem%20but%20i%20wanted%20to%20check%20with%20you%20guys%20first%20so%20see%20if%20you%20thought%20enabling%20DKIM%20on%20office%20365%20and%20then%20having%20outbound%20messages%20sent%20via%20en%20edge%20device%20(Proofpoint)%20would%20cause%20any%20Signature%20problems.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20proofpoint%20MTA%20does%20show%20as%20an%20extra%20hop.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-729045%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-729083%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20behind%20Separate%20MTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-729083%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78373%22%20target%3D%22_blank%22%3E%40Robert%20Bollinger%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20to%20ask%20-%20does%20your%20MTA%20handle%20inbound%20too%20and%20is%20your%20MX%20pointed%20towards%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20so%2C%20you%20would%20typically%20setup%20DKIM%20there%2C%20on%20ProofPoint%2C%20as%20opposed%20to%20EOP.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-729099%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20behind%20Separate%20MTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-729099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20it%20does.%20and%20our%20MX%20records%20point%20it%20as%20well.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-729107%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20behind%20Separate%20MTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-729107%22%20slang%3D%22en-US%22%3EThanks%20Robert%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%E2%80%99m%20that%20case%20the%20recommended%20course%20of%20action%20would%20be%20to%20have%20SPF%2C%20DKIM%20and%20DMARC%20all%20set%20up%20with%20ProofPoint%20as%20opposed%20to%20EOP%2C%20being%20your%20smarthost%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20done%20regularly%20in%20the%20UK%20with%20several%20other%20well%20known%20brands.%20I%20can%E2%80%99t%20mention%20them%20specifically%20due%20to%20house%20rules%20but%20they%20would%20be%20competitors!%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-729120%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20behind%20Separate%20MTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-729120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20of%20any%20Microsoft%20documentation%20whcih%20specific%20covers%20setting%20up%20DKIM%20(office%20365)%20behind%20another%20MTA%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20long%20as%20proofpoint%20doesn't%20modify%20the%20body%20hash%2C%20subject%20etc%20or%20other%20signed%20portions%20of%20the%20messages%20then%20i%20don't%20see%20how%20it%20would%20be%20a%20problem.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20you%20in%20principal%20that%20we%20should%20have%20Proofpoint%20do%20the%20signing%20as%20its%20the%20last%20hop%20but%20that%20isn't%20always%20possible.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-729151%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%20behind%20Separate%20MTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-729151%22%20slang%3D%22en-US%22%3ENo%20worries!%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%E2%80%99t%20find%20it%20personally%2C%20here%E2%80%99s%20how%20to%20setup%20DKIM%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fuse-dkim-to-validate-outbound-email%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fuse-dkim-to-validate-outbound-email%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHere%E2%80%99s%20also%20an%20account%20of%20what%20happens%20when%20you%20do%20(as%20instructed%20by%20ProofPoint)%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.google.co.uk%2Famp%2Fs%2Famp.reddit.com%2Fr%2Fmsp%2Fcomments%2Fbn5zld%2Fproofpoint_with_office_365_spf_record_and_dkim%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.google.co.uk%2Famp%2Fs%2Famp.reddit.com%2Fr%2Fmsp%2Fcomments%2Fbn5zld%2Fproofpoint_with_office_365_spf_record_and_dkim%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20they%20do%20say%20it%E2%80%99s%20possible%20and%20pass%20through%20if%20you%20follow%20the%20365%20guide%2C%20but%20has%20some%20caveats.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20personally%20spin%20up%20a%20test%20domain%20and%20a%20mailbox%20to%20simulate%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hey Guys, 

 

Quick Question here on DKIM. I want to get it setup and running and plan on using Office 365 to do the signing etc with. However my question is this we have an edge MTA where all messages are sent from our office 365 tenant. 

 

Near as i can guess, that shouldn't be a problem but i wanted to check with you guys first so see if you thought enabling DKIM on office 365 and then having outbound messages sent via en edge device (Proofpoint) would cause any Signature problems. 

 

The proofpoint MTA does show as an extra hop. 

 

Thanks, 

 

Robert 

5 Replies
Highlighted
Hi @Robert Bollinger

Just to ask - does your MTA handle inbound too and is your MX pointed towards it?

If so, you would typically setup DKIM there, on ProofPoint, as opposed to EOP.

Hope that helps!

Best, Chris
Highlighted

@Christopher Hoard 

 

Yes it does. and our MX records point it as well. 

 

Robert 

Highlighted
Thanks Robert,

I’m that case the recommended course of action would be to have SPF, DKIM and DMARC all set up with ProofPoint as opposed to EOP, being your smarthost

This is done regularly in the UK with several other well known brands. I can’t mention them specifically due to house rules but they would be competitors!

Hope that answers your question!

Best, Chris
Highlighted

@Christopher Hoard 

 

Do you know of any Microsoft documentation whcih specific covers setting up DKIM (office 365) behind another MTA? 

 

as long as proofpoint doesn't modify the body hash, subject etc or other signed portions of the messages then i don't see how it would be a problem. 

 

I agree with you in principal that we should have Proofpoint do the signing as its the last hop but that isn't always possible. 

 

Thanks, 

 

Robert 

 

Highlighted
Solution
No worries!

I can’t find it personally, here’s how to setup DKIM

https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email

Here’s also an account of what happens when you do (as instructed by ProofPoint)

https://www.google.co.uk/amp/s/amp.reddit.com/r/msp/comments/bn5zld/proofpoint_with_office_365_spf_r...

So they do say it’s possible and pass through if you follow the 365 guide, but has some caveats.

I would personally spin up a test domain and a mailbox to simulate it.

Hope that helps

Best, Chris