Enabling Outbound DKIM signing + Verifying the process of Outbound DKIM signing in the Office 365 environment | Part 10#10

In the current article, we were complete to process of “Enabling Outbound DKIM signing” in an Office 365 based environment.In addition, we review how to verify that the process of outgoing DKIM signature is implemented properly.

Activating (enabling) the Outbound DKIM signing for our domain name

In this phase, we assume that the required DNS CNAME records that redirect “DKIM queries” to the “dedicated Office 365 DKIM selector host name” that represent our public domain name were already created.

Note – we have reviewed the process of creating it requires DKIM CNAME records in the previous article.

To activate (enabling) the option of Outbound DKIM signing for a specific domain name, use the following steps:

• Logon to Exchange Online admin console
• On the left menu bar, select the protection
• On the top menu bar, select the dkim

In our example, we want to enable Outbound DKIM signing for the domain – o365pilot.com.

In the following screenshot, we can see that by default, the option of – Outbound DKIM signing option for the public domain name, is disabled. In other words, the option of “Enable” is active.

To enable Outbound DKIM signing for the domain – o365pilot.com, all we need to do is – to select the required domain name, and click the Enable menu.

In the following screenshot, we can see that the Outbound DKIM signing is Enabled

An additional option for enabling Outbound DKIM signing for a domain is via the – Office 365 Security & Compliance portal

• Logon to Security & Compliance portal
• On the left menu bar, select the Threat management menu
• Select the dkim menu

Verifying the process of Outbound DKIM signing + incoming DKIM verification test

After we have enabled the option of Outbound DKIM signing, the next task is to verify that the configuration is implemented properly.

Our expectations are, that E-mail that is sent by our organization recipients, whom their E-mail address includes the domain name suffix for which we enabled the Outbound DKIM signing, will be signed by a DKIM selector, that his host name include our domain name.

For example, each E-mail that sent from the domain o365pilot.com, will contain information about a DKIM selector, that his host name includes the domain name o365pilot.com.

Just a quick reminder, in an Office 365 based environment, each “outgoing E-mail” will be automatically included DKIM signature, using the “default Office 365 DKIM selector” that use the domain name – “onMicrosoft”.

The purpose of enabling Outbound DKIM signing is – to change this default, so the DKIM selector name will include our domain name suffix.

After we enable the option of – Outbound DKIM signing, the “DKIM signature” will not include the default Office 365 DKIM selector host name (onMicrosoft) and instead, in our example, will include the host name selector1._domainkey.o365pilot.com or, the host name – selector2._domainkey.o365pilot.com.

If we want to be more accurate, although the “formal” host name of the DKIM selector that represents our domain name is “selector1._domainkey.o365pilot.com”, the “destination mail server”, will relate to a shorten version of the host name.

When we look at the information that appears in the E-mail message header that was sent to external recipient, the DKIM selector host name will appear as “Selector1.o365pilot.com”.

If you need to read more information about the process in which we get the information about the “dedicated host name” which Office 365 “generate” for our public domain, you can read the following article – Get the value of the DKIM record for a Domain, using PowerShell | Office 365 | Part 7#10

In the next sections, we review the process in which we verify that the Office 365 DKIM infrastructure functioning properly.

In the next section, we will run two “DKIM outgoing flow” test.

The verification process of the Outbound DKIM signing will be implemented by:

• Test 1 – Analyzing the E-mail message header that was sent to the “destination recipient”, using the Microsoft Remote Connectivity Analyzer.
• Test 2 – Analyzing the E-mail message header that was sent to the “destination recipient”, using a free web-based tool.

Verifying the process of Outbound DKIM signing – Analyzing E-mail header | Using Microsoft Remote Connectivity Analyzer

In this section, we want to verify that the Office 365 DKIM infrastructure is “working properly,” and that E-mail messages that sent by our organization recipients are:

• Digitally signed by using a DKIM signature
• That the DKIM selector that sign the E-mail is using the host name o365pilot.com

Scenario description

Our organization mail infrastructure (Exchange Online), was configured to implement Outbound DKIM signing for the public domain name – o365pilot.com.

In our scenario, an organization recipient who uses the E-mail address – craig@o365pilot.com, sent E-mail to external recipients.

Analyzing the information stored in the E-mail header | Destination recipient

In the following screenshot, we can see the E-mail message that was sent to “G-Mail recipient.”

• To view to E-mail header, we select the E-mail message.
• Click on the small arrow that appears on the right side.
• Select the menu – Show original.

In the following screenshot, we can see that the DKIM signature was “approved” by the mail server that accepts the E-mail.

The information about the DKIM signature appears as – “PASS with domain o365pilot.com”.

To get more detailed information, we will copy the content of the E-mail header and analyze the information by using mail header analyzer.

In the next step, we will use the Microsoft Message Header Analyzer.

• Paste the content of the E-mail header in the “white box”
• Select – Analyze headers

In the following screenshot, we can see the information about the “DKIM signature.”
The information includes the Public Key that the DKIM selector use.

The important information in our case is, the name of the DKIM selector that “stamp” the E-mail using a DKIM signature.

Authentication-Results

In the section named – “Authentication-Results”, we can see that the DKIM test was successful

The information appears as – “dkim=pass header.i=@o365pilot.com”.

DKIM-Signature

In the section named – “DKIM-Signature,” we can see the information about the “DKIM Selector” host name.

In our example, the DKIM selector host name is – d=o365pilot.com; s=selector1;

• The letter “d” represent the Domain name (o365pilot.com in our example).
• The letter “s” represent the selector host name (selector1 in our example).

Verifying the process of Outbound DKIM signing – Analyzing E-mail header | Using web-based tools

In the next step, we perform the “Outbound DKIM signing test” using a free web-based tool named – DKIM, SPF, SpamAssassin Email Validator.

The verification process is implemented by sending E-mail to a “unique E-mail address” that provided by the web-based tool.

The E-mail message that we send will be accepted by the “destination mail server”, and after the E-mail is accepted, the web-based tool will provide a report that relates to the result of the DKIM signature test.

• Copy the E-mail address that appears on the web page.

In this step, we send E-mail to the specific E-mail address from one of our organization users.

In our example, we want to verify the E-mail message that sent from a recipient who uses the domain name suffix – o365pilot.com include a “proper” DKIM signature.

After the E-mail message was sent, we will access the Web-based tool again and select the button – View Results

In the following screenshot, we can see the content of the E-mail message that was accepted by the “destination recipient.”

The information about that the “DKIM signature” inform us that the DKIM test “pass”, and the important thing is that the DKIM selector host name who signed the E-mail message is – selector1.o365pilot.com.

The previous article in the current article series

Verifying that the DKIM CNAME records configured properly | Office 365 | Part 9#10