DKIM/DMARC and onmicrosoft.com

%3CLINGO-SUB%20id%3D%22lingo-sub-2375383%22%20slang%3D%22en-US%22%3EDKIM%2FDMARC%20and%20onmicrosoft.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2375383%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3EWe%20have%20run%20into%20an%20issue%20with%20DKIM%20and%20DMARC.%3C%2FP%3E%3CP%3EWe%20have%20three%20domain%20names%20in%20use%20within%20our%20Microsoft%20365%20tenant.%20We%20use%20Proofpoint%20Essentials%20to%20filter%20inbound%2Foutbound%20email%20to%20all%20of%20them.%3C%2FP%3E%3CP%3EOur%20SPF%20records%20have%20been%20around%20for%20several%20years%20before%20we%20began%20using%20Microsoft%20365%20and%20they%20verify%20that%20Proofpoint%20Essentials%20can%20send%20mail%20on%20our%20behalf.%3C%2FP%3E%3CP%3EHowever%2C%20since%20setting%20up%20DKIM%20and%20DMARC%20we%20are%20seeing%20reports%20which%20show%20that%20while%20our%20domain%20names%20are%20passing%20DKIM%20the%20onmicrosoft.com%20domain%20name%20that%20is%20used%20as%20part%20of%20the%20sending%20process%20fails.%3C%2FP%3E%3CP%3EDKIM%2FDMARC%20allows%20recipient%20mail%20servers%20to%20verify%20that%20our%20email%20is%20sent%20via%20Proofpoint%20Essentials.%20We%20do%20not%20have%20any%20control%20over%20onmicrosoft.com%20so%20wondered%20how%20other%20Microsoft%20365%20customers%20deal%20with%20this.%3C%2FP%3E%3CP%3EPlease%20note%20this%20is%20not%20a%20question%20about%20sending%20email%20as%20user%40our-domain-name.onmicrosoft.com.%20We%20send%20email%20using%20user%40our-domain-name.com.%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2375383%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2530093%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%2FDMARC%20and%20onmicrosoft.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2530093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169727%22%20target%3D%22_blank%22%3E%40PK%20Player%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20here.%20I%20have%20searched%20all%20there%20is%20to%20be%20searched%20to%20no%20avail%20%3A(%3C%2Fimg%3E%20Our%20main%20problem%20is%20with%20D%2FL.%20DKIM%20alignment%20fails%20when%20a%20D%2FL%20member%20(with%20outside%20domain)%20sends%20out%20to%20D%2FL.%20Furthermore%2C%20while%20our%20customdomain.com%20passes%20all%20DKIM%2FDmarc%2C%20when%20we%20check%20for%20customdomain.onmicrosoft.com%2C%20DKIM%20fails%20for%20all%20existing%20selectors.%20smh.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2603182%22%20slang%3D%22en-US%22%3ERe%3A%20DKIM%2FDMARC%20and%20onmicrosoft.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2603182%22%20slang%3D%22en-US%22%3EWell%2C%20I%20assume%20that%20it%20does%20not%20matter%20so%20much.%20Email%20from%20our%20tenant%20originates%20from%20Microsoft's%20mail%20servers%20which%20are%20Microsoft-owned%20IP%20addresses.%20I%20expect%20that%20so%20long%20as%20the%20IP%20addresses%20match%20Microsoft's%20servers%20the%20onmicrosoft.com%20part%20of%20the%20domain%20name%20is%20accepted%20and%20that%20the%20DKIM%2FDMARC%20reports%20are%20purely%20for%20show%20and%20are%20not%20acted%20upon.%3CBR%20%2F%3EThere's%20probably%20a%20whole%20level%20of%20authentication%20we%20are%20unaware%20of.%3C%2FLINGO-BODY%3E
Contributor

Hello

We have run into an issue with DKIM and DMARC.

We have three domain names in use within our Microsoft 365 tenant. We use Proofpoint Essentials to filter inbound/outbound email to all of them.

Our SPF records have been around for several years before we began using Microsoft 365 and they verify that Proofpoint Essentials can send mail on our behalf.

However, since setting up DKIM and DMARC we are seeing reports which show that while our domain names are passing DKIM the onmicrosoft.com domain name that is used as part of the sending process fails.

DKIM/DMARC allows recipient mail servers to verify that our email is sent via Proofpoint Essentials. We do not have any control over onmicrosoft.com so wondered how other Microsoft 365 customers deal with this.

Please note this is not a question about sending email as user@our-domain-name.onmicrosoft.com. We send email using user@our-domain-name.com.

Thank you.

2 Replies

@PK Player 

Same here. I have searched all there is to be searched to no avail :( Our main problem is with D/L. DKIM alignment fails when a D/L member (with outside domain) sends out to D/L. Furthermore, while our customdomain.com passes all DKIM/Dmarc, when we check for customdomain.onmicrosoft.com, DKIM fails for all existing selectors. smh.

Well, I assume that it does not matter so much. Email from our tenant originates from Microsoft's mail servers which are Microsoft-owned IP addresses. I expect that so long as the IP addresses match Microsoft's servers the onmicrosoft.com part of the domain name is accepted and that the DKIM/DMARC reports are purely for show and are not acted upon.
There's probably a whole level of authentication we are unaware of.