In the current article, we were complete to process of “Enabling Outbound DKIM signing” in an Office 365 based environment.In addition, we review how to verify that the process of outgoing DKIM signature is implemented properly.
Article Series | Table Of Content | Click to expand
Manage outbound DKIM signing in Office 365 | Office 365 | Article Series
Activating (enabling) the Outbound DKIM signing for our domain name
In this phase, we assume that the required DNS CNAME records that redirect “DKIM queries” to the “dedicated Office 365 DKIM selector host name” that represent our public domain name were already created.
To activate (enabling) the option of Outbound DKIM signing for a specific domain name, use the following steps:
- Logon to Exchange Online admin console
- On the left menu bar, select the protection
- On the top menu bar, select the dkim
In our example, we want to enable Outbound DKIM signing for the domain – o365pilot.com.
In the following screenshot, we can see that by default, the option of – Outbound DKIM signing option for the public domain name, is disabled. In other words, the option of “Enable” is active.
To enable Outbound DKIM signing for the domain – o365pilot.com, all we need to do is – to select the required domain name, and click the Enable menu.
In the following screenshot, we can see that the Outbound DKIM signing is Enabled
An additional option for enabling Outbound DKIM signing for a domain is via the – Office 365 Security & Compliance portal
- Logon to Security & Compliance portal
- On the left menu bar, select the Threat management menu
- Select the dkim menu
Verifying the process of Outbound DKIM signing + incoming DKIM verification test
After we have enabled the option of Outbound DKIM signing, the next task is to verify that the configuration is implemented properly.
Our expectations are, that E-mail that is sent by our organization recipients, whom their E-mail address includes the domain name suffix for which we enabled the Outbound DKIM signing, will be signed by a DKIM selector, that his host name include our domain name.
For example, each E-mail that sent from the domain o365pilot.com, will contain information about a DKIM selector, that his host name includes the domain name o365pilot.com.
Just a quick reminder, in an Office 365 based environment, each “outgoing E-mail” will be automatically included DKIM signature, using the “default Office 365 DKIM selector” that use the domain name – “onMicrosoft”.
The purpose of enabling Outbound DKIM signing is – to change this default, so the DKIM selector name will include our domain name suffix.
After we enable the option of – Outbound DKIM signing, the “DKIM signature” will not include the default Office 365 DKIM selector host name (onMicrosoft) and instead, in our example, will include the host name selector1._domainkey.o365pilot.com or, the host name – selector2._domainkey.o365pilot.com.
If we want to be more accurate, although the “formal” host name of the DKIM selector that represents our domain name is “selector1._domainkey.o365pilot.com”, the “destination mail server”, will relate to a shorten version of the host name.
When we look at the information that appears in the E-mail message header that was sent to external recipient, the DKIM selector host name will appear as “Selector1.o365pilot.com”.
In the next sections, we review the process in which we verify that the Office 365 DKIM infrastructure functioning properly.
In the next section, we will run two “DKIM outgoing flow” test.
The verification process of the Outbound DKIM signing will be implemented by:
- Test 1 – Analyzing the E-mail message header that was sent to the “destination recipient”, using the Microsoft Remote Connectivity Analyzer.
- Test 2 – Analyzing the E-mail message header that was sent to the “destination recipient”, using a free web-based tool.
Verifying the process of Outbound DKIM signing – Analyzing E-mail header
| Using Microsoft Remote Connectivity Analyzer
In this section, we want to verify that the Office 365 DKIM infrastructure is “working properly,” and
that E-mail messages that sent by our organization recipients are
- Digitally signed by using a DKIM signature
- That the DKIM selector that sign the E-mail is using the host name o365pilot.com
Our organization mail infrastructure (Exchange Online), was configured to implement Outbound DKIM signing for the public domain name – o365pilot.com.
In our scenario, an organization recipient who uses the E-mail address – firstname.lastname@example.org, sent E-mail to external recipients.
Analyzing the information stored in the E-mail header | Destination recipient
In the following screenshot, we can see the E-mail message that was sent to “G-Mail recipient.”
- To view to E-mail header, we select the E-mail message.
- Click on the small arrow that appears on the right side.
- Select the menu – Show original.
In the following screenshot, we can see that the DKIM signature was “approved” by the mail server that accepts the E-mail.
The information about the DKIM signature appears as – “PASS with domain o365pilot.com”.
To get more detailed information, we will copy the content of the E-mail header and analyze the information by using mail header analyzer.
In the next step, we will use the Microsoft E-mail header analyzer using a web-based tool
named – Microsoft Remote Connectivity Analyzer
- Paste the content of the E-mail header in the “white box”
- Select – Analyze headers
In the following screenshot, we can see the information about the “DKIM signature.”
The information includes the Public Key that the DKIM selector use.
The important information in our case is, the name of the DKIM selector that “stamp” the E-mail using a DKIM signature.
In the section named – “Authentication-Results”, we can see that the DKIM test was successful
The information appears as – “dkim=pass email@example.com”.
In the section named – “DKIM-Signature,” we can see the information about the “DKIM Selector” host name.
In our example, the DKIM selector host name is – d=o365pilot.com; s=selector1;
- The letter “d” represent the Domain name (o365pilot.com in our example).
- The letter “s” represent the selector host name (selector1 in our example).
Verifying the process of Outbound DKIM signing – Analyzing E-mail header | Using web-based tools
In the next step, we perform the “Outbound DKIM signing test” using a free web-based tool
named – DKIM, SPF, SpamAssassin Email Validator
The verification process is implemented by sending E-mail to a “unique E-mail address” that provided by the web-based tool.
The E-mail message that we send will be accepted by the “destination mail server”, and after the E-mail is accepted, the web-based tool will provide a report that relates to the result of the DKIM signature test.
- Copy the E-mail address that appears on the web page.
In this step, we send E-mail to the specific E-mail address from one of our organization users.
In our example, we want to verify the E-mail message that sent from a recipient who uses the domain name suffix – o365pilot.com include a “proper” DKIM signature.
After the E-mail message was sent, we will access the Web-based tool again and select the button – View Results
In the following screenshot, we can see the content of the E-mail message that was accepted by the “destination recipient.”
The information about that the “DKIM signature” inform us that the DKIM test “pass”, and the important thing is that the DKIM selector host name who signed the E-mail message is – selector1.o365pilot.com.
Additional web based tool
The former article in the current article series
It is important for us to know your opinion on this article