Rely solely on DKIM, remove spf.protection.outlook.com from SPF record?
Question: Is there anyone that already has removed the spf.protection.outlook.com entry for their Office 365 hosted mail domain, and how has this impacted deliverability? Situation: In order to protect our email from being spoofed, we have a DMARC policy in place that recipient email servers respect to filter out unauthenticated emails sent from our mail domain. As we all know, DMARC authentication can take place either by publishing the autorized sending servers IP's/netblocks in the domains SPF record, by publishing DKIM keys, or both. One of the mechanisms has to align, two is fine as well of course For our mail domain, both the SPF mechanism as well as the DKIM mechanism are used at this moment. Two assumptions: 1. The SPF record's entry for Office 365 (include:spf.protection.outlook.com) is used by ALL Office 365 tenatnt/customers and contains all the possible IP's that Office 365 uses to send outgoing email. 2. The DKIM key used by Office 365 to cryptogarphically sign mails that are sent out from our mail domain is unique for our tenant. When inspecting the DMARC reporting, i noticed that some emails were not signed with the correct DKIM keys, but are labeled as 'aligned'. Quite possibly, these emails were sent from within some Office 365 tenant, but not from our tenant and thus, quite possibly, malicious. Statement: On hosted email platforms such as O365 and gmail, SPF isn't good enough because all their good customers and all their abusive customers use spf.protection.outlook.com (or spf.gmail.com for that matter) for spf lookups. The spf record is only a simple txt lookup with no logic or cryptographic keys involved. By removing the SPF element from the equasion our email domain, we rely solely on the DKIM signing, which is unique and cryptographically sound. Email deliverability should not be impacted for DMARC compatible mailservices, but will be lower for email services that are not DMARC-compliant.
Office365 DKIM Setup
Hi I'm trying to setup DKIM on Office365 Exchange Online We have added the CNAME entries a few days ago. However when we go to: Exchange Admin / Protection / DKIM and click on the Domain We don't get the option to "Enable" DKIM Anyone any idea why we don't get this option? ThanksDKIM Network Solutions Hosted Domain
I am having difficulty trying to get DKIM enabled for our domain that is hosted on Network Solutions. I've worked with Microsoft's Tech Support, and don't get me wrong they are absolutely wonderful, but we are not able to get the issue resolved. The keys are entered exactly as they directed but after 50 hours the CNAME records are not resolving to be able to enable DKIM on the domain. Any direction or suggestions?
