Enabling Outbound DKIM signing + Verifying the process of Outbound DKIM signing in the Office 365 environment | Part 10#10 5/5 (4) 8 min read

In the current article, we were complete to process of “Enabling Outbound DKIM signing” in an Office 365 based environment.In addition, we review how to verify that the process of outgoing DKIM signature is implemented properly.

Activating (enabling) the Outbound DKIM signing for our domain name

In this phase, we assume that the required DNS CNAME records that redirect “DKIM queries” to the “dedicated Office 365 DKIM selector host name” that represent our public domain name were already created.

Note – we have reviewed the process of creating it requires DKIM CNAME records in the former article.

To activate (enabling) the option of Outbound DKIM signing for a specific domain name, use the following steps:

In our example, we want to enable Outbound DKIM signing for the domain – o365pilot.com.

In the following screenshot, we can see that by default, the option of – Outbound DKIM signing option for the public domain name, is disabled. In other words, the option of “Enable” is active.

Activating the option of Outbound DKIM signing in Office 365 -01

To enable Outbound DKIM signing for the domain – o365pilot.com, all we need to do is – to select the required domain name, and click the Enable menu.

Activating the option of Outbound DKIM signing in Office 365 -02

In the following screenshot, we can see that the Outbound DKIM signing is Enabled

Activating the option of Outbound DKIM signing in Office 365 -03

An additional option for enabling Outbound DKIM signing for a domain is via the – Office 365 Security & Compliance portal

Activating the option of Outbound DKIM signing in Office 365 -04

Verifying the process of Outbound DKIM signing + incoming DKIM verification test

After we have enabled the option of Outbound DKIM signing, the next task is to verify that the configuration is implemented properly.

Our expectations are, that E-mail that is sent by our organization recipients, whom their E-mail address includes the domain name suffix for which we enabled the Outbound DKIM signing, will be signed by a DKIM selector, that his host name include our domain name.

For example, each E-mail that sent from the domain o365pilot.com, will contain information about a DKIM selector, that his host name includes the domain name o365pilot.com.

Scenario A – testing the Outbound DKIM signing ?for an o365pilot.com recipient -01

Just a quick reminder, in an Office 365 based environment, each “outgoing E-mail” will be automatically included DKIM signature, using the “default Office 365 DKIM selector” that use the domain name – “onMicrosoft”.

The purpose of enabling Outbound DKIM signing is – to change this default, so the DKIM selector name will include our domain name suffix.

After we enable the option of – Outbound DKIM signing, the “DKIM signature” will not include the default Office 365 DKIM selector host name (onMicrosoft) and instead, in our example, will include the host name selector1._domainkey.o365pilot.com or, the host name – selector2._domainkey.o365pilot.com.

If we want to be more accurate, although the “formal” host name of the DKIM selector that represents our domain name is “selector1._domainkey.o365pilot.com”, the “destination mail server”, will relate to a shorten version of the host name.

When we look at the information that appears in the E-mail message header that was sent to external recipient, the DKIM selector host name will appear as “Selector1.o365pilot.com”.

Note – If you need to read more information about the process in which we get the information about the “dedicated host name” which Office 365 “generate” for our public domain, you can read the following article – Get the value of the DKIM record for a Domain, using PowerShell | Office 365 | Part 7#10

In the next sections, we review the process in which we verify that the Office 365 DKIM infrastructure functioning properly.

In the next section, we will run two “DKIM outgoing flow” test.

The verification process of the Outbound DKIM signing will be implemented by:

  • Test 1 – Analyzing the E-mail message header that was sent to the “destination recipient”, using the Microsoft Remote Connectivity Analyzer.
  • Test 2 – Analyzing the E-mail message header that was sent to the “destination recipient”, using a free web-based tool.

Verifying the process of Outbound DKIM signing – Analyzing E-mail header
| Using Microsoft Remote Connectivity Analyzer

In this section, we want to verify that the Office 365 DKIM infrastructure is “working properly,” and
that E-mail messages that sent by our organization recipients are

  • Digitally signed by using a DKIM signature
  • That the DKIM selector that sign the E-mail is using the host name o365pilot.com

Scenario description

Our organization mail infrastructure (Exchange Online), was configured to implement Outbound DKIM signing for the public domain name – o365pilot.com.

In our scenario, an organization recipient who uses the E-mail address – craig@o365pilot.com, sent E-mail to external recipients.

Analyzing the information stored in the E-mail header | Destination recipient

In the following screenshot, we can see the E-mail message that was sent to “G-Mail recipient.”

Verifying the process of Outbound DKIM signing send E-mail to external recipient -01

  • To view to E-mail header, we select the E-mail message.
  • Click on the small arrow that appears on the right side.
  • Select the menu – Show original.

Verifying the process of Outbound DKIM signing send E-mail to external recipient -02

In the following screenshot, we can see that the DKIM signature was “approved” by the mail server that accepts the E-mail.

The information about the DKIM signature appears as – “PASS with domain o365pilot.com”.

To get more detailed information, we will copy the content of the E-mail header and analyze the information by using mail header analyzer.
Verifying the process of Outbound DKIM signing send E-mail to external recipient -03

In the next step, we will use the Microsoft E-mail header analyzer using a web-based tool
named – Microsoft Remote Connectivity Analyzer

  • Paste the content of the E-mail header in the “white box”
  • Select – Analyze headers

Verifying the process of Outbound DKIM signing send E-mail to external recipient -04

In the following screenshot, we can see the information about the “DKIM signature.”
The information includes the Public Key that the DKIM selector use.

The important information in our case is, the name of the DKIM selector that “stamp” the E-mail using a DKIM signature.

Verifying the process of Outbound DKIM signing send E-mail to external recipient -05

Authentication-Results

In the section named – “Authentication-Results”, we can see that the DKIM test was successful

The information appears as – “dkim=pass header.i=@o365pilot.com”.

Verifying the process of Outbound DKIM signing send E-mail to external recipient -06

DKIM-Signature

In the section named – “DKIM-Signature,” we can see the information about the “DKIM Selector” host name.

In our example, the DKIM selector host name is – d=o365pilot.com; s=selector1;

  • The letter “d” represent the Domain name (o365pilot.com in our example).
  • The letter “s” represent the selector host name (selector1 in our example).

Verifying the process of Outbound DKIM signing send E-mail to external recipient -07

Verifying the process of Outbound DKIM signing – Analyzing E-mail header | Using web-based tools

In the next step, we perform the “Outbound DKIM signing test” using a free web-based tool
named – DKIM, SPF, SpamAssassin Email Validator

The verification process is implemented by sending E-mail to a “unique E-mail address” that provided by the web-based tool.

The E-mail message that we send will be accepted by the “destination mail server”, and after the E-mail is accepted, the web-based tool will provide a report that relates to the result of the DKIM signature test.

  • Copy the E-mail address that appears on the web page.

Validate your DKIM outbound signing process -001

In this step, we send E-mail to the specific E-mail address from one of our organization users.

In our example, we want to verify the E-mail message that sent from a recipient who uses the domain name suffix – o365pilot.com include a “proper” DKIM signature.

Validate your DKIM outbound signing process -002

After the E-mail message was sent, we will access the Web-based tool again and select the button – View Results

Validate your DKIM outbound signing process -003

In the following screenshot, we can see the content of the E-mail message that was accepted by the “destination recipient.”

Validate your DKIM outbound signing process -004

The information about that the “DKIM signature” inform us that the DKIM test “pass”, and the important thing is that the DKIM selector host name who signed the E-mail message is – selector1.o365pilot.com.

Validate your DKIM outbound signing process -005

Now it’s Your Turn!
It is important for us to know your opinion on this article

Restore Exchange Online mailbox | Article series index

Print Friendly, PDF & Email

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *