As Office 365 service keeps adding new features and functions, it is important for global admins to keep up with the latest offerings and service enhancements office 365 provides. In this blog post I am going to discuss one of the security feature offered by office 365 and how it can be beneficial to organizations when it comes to securing their office365 tenants. This feature is called DKIM. DKIM has been offered by Microsoft for some time now and most of the organizations are using it quite effectively. But I was surprised to know that still there is a huge gap of knowledge around DKIM basics and its implementation scenario. Let’s start with brief description of DKIM.
DKIM stands for Domain Keys Identified Mail. So, the name gives us a clue that it involves digital keys i.e. private/public keys. This means that there will be digital signing or encryption and decryption of messages. Yes! that’s right. So, in simple words “it is a digital signing of emails by sending party using its private keys or in this instance via private domain key and then decryption of this email by the recipient party using domain public keys. “This looks simple and to be honest it is very simple given you understand these questions: Why you need it? What are the benefits? How hard it is to configure and manage? Let’s answer them one by one.
Primary purpose of DKIM is to identify your identity on the internet as you are who you claim to be. Meaning your domain e.g. @contoso.com is a legit domain and the recipient can trust emails coming from this source since it has successfully identified itself. Another analogy to this scenario would be the ssl certificates used by different websites across the internet to validate their identity to clients. This also provides the first benefit to let your domain published as a trusted domain across internet and any spoofing attempt or attempt to send spoofed emails using your domain will fail. Second big benefit you get is your email security strategy gets a big boost and allows you to use more advanced security features such as DMARC for securing your emails.
Now let’s get to the question as how hard it is to implement? The answer is its simple and does not take much of effort in terms of configuration. Though it does require a significant amount of planning to ensure smooth and fruitful outcome. In fact, by default DKIM is enabled for your default office 365 domain i.e. onmicrosft.com. Let’s review step by step as how it is configured in office 365.
DKIM requires just two steps for its configuration.
- Add CNAME records in public DNS for your custom domain
- Enable DKIM for your custom domain in office 365.
CNAME will have following format.
Key things to remember here are:
- domainGUIDis the same as the domainGUID in the customized MX record for your custom domain
- initialDomainis the domain that you used when you signed up for Office 365
- For Office 365, the selectors will always be “selector1” or “selector2”
For example, if your custom domain is contoso.com, this record will look like this:
To enable DKIM signing for your custom domain through the Office 365 admin center
- Sign in to Office 365 with your work or school account.
- Select the app launcher icon in the upper-left and choose Admin.
- In the lower-left navigation, expand Admin and choose Exchange.
- Go to Protection > dkim.
- Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable. Repeat this step for each custom domain.
To enable DKIM signing for your custom domain by using PowerShell
- Connect to Exchange Online using remote PowerShell.
- Run the following cmdlet:
Where domain is the name of the custom domain for which you want to enable DKIM signing.
For example, for the domain contoso.com:
The above steps will allow you to setup DKIM for your custom domain in office365. I will be further discussing implementation scenarios and test process to verify your settings in my future blog.