Enabling DKIM in Office 365
October 21, 2018•552 words
Enabling DKIM in office 365 is way harder than it should be if you're not letting Microsoft manage your DNS records for you. Office 365 is not my preferred groupware system but it seems to be a necessary evil in the business world. In order to enable DKIM for office 365 its required that you add two CNAME records. In the example below I'm using the domain name azulpine.com and the office 365 tenet azulpine.com. If you have a .com TLD then it follows you should be able to drop in your domain in place of where I have put azulpine.
Cname Record 1
| Host: | selector1._domainkey |
| Value: | selector1-azulpine-com._domainkey.azulpine.onmicrosoft.com |
Cname Record 2
| Host: | selector2._domainkey |
| Value: | selector2-azulpine-com._domainkey.azulpine.onmicrosoft.com |
Why is DKIM important?
DKIM is a way for you to sign outbound messages automatically with a special seal of approval. This is the digital equivalent of a fancy wax seal on a letter. By doing this you can prove to an email server that the message came from an authorized source. In your DMARC record, you can specify what you would like mail servers to do with unsigned messages just like you can with messages that don’t meet SPF. DKIM exists to provide extra assurance of a message's origin over what SPF can deliver and can reduce the likelihood of a message being marked as spam in some cases but is generally only taken into account if the receiving mail server is using DMARC to vet messages. Aside from being used in conjunction with DMARC, DKIM can also be used to prove a message was a spoof. If you have a loose SPF policy and are not using DMARC (which you really should) it may be a good idea to sign email messages using DKIM so that if someone impersonates your email address and sends a malicious email to one of your contacts, you have a way to prove (via your “wax seal”) to that person that you did not send a malicious email. Damage might have been done but at least if you have DKIM you can point to the fact that you were innocent of sending a malicious message.