In the current article, we review to process of – how to verify the DNS CNAME DKIM records, that represent a domain hosted at Office 365.
The process of verifying the Office 365 DKIM CNAME records include three parts:
- Verify that the two CNAME records were successfully published.
- Verify that the CNAME “redirect” process is successfully implemented.
- Verify that we manage to access the Office 365 DKIM selector TXT record, that includes the Public Key of the Office 365 selectors.
Article Series | Table Of Content | Click to expand
Manage outbound DKIM signing in Office 365 | Office 365 | Article Series
A little about the concept of DKIM records in Office 365 environment
A quick reminder about the concept of DKIM host records in Office 365:
When we implement outbound DKIM signature in an Office 365 environment, outbound E-mail that sent to external recipients, will include DKIM signature + the “logical host name” of the DKIM selector that sign the E-mail.
in our example, the logical host name that represent the domain o365pilot.com is – selector1._domainkey.o365pilot.com.
We use the term “logical host name” because, the DKIM selector host name which appears on the E-mail message doesn’t exist!
When the “destination mail server” receives the E-mail message, he addresses a public DNS server, looking for information about the DKIM selector host name, that appeared in the mail header (“logical host name”).
The external mail server asks the DNS server if he has a TXT record, that uses the specific host name.
The DNS server include a CNAME record, that serves as a “logical router” that “route” DNS client request to “another host”.
The DNS server “answer” is, a redirection to “another host.” In our example, the redirection message includes the host name –
The “other host name” is the real host name of the Office 365 DKIM selector.
The “mail server” addresses again the DNS server, and asks the DNS server if he has a TXT record that uses the specific host name.
In this step, the DNS sends to the “DNS client” (the mail server) the content of the TXT record, that includes the Public Key of the Office 365 selector that signed the E-mail message.
Scenario and task description
The domain name for which we have already activated the “outbound DKIM signing” is – o365pilot.com.
The prerequisite for enabling the outbound DKIM signing in Office 365 is – a creation of two CNAME records, that will be created on the DNS server, who hosts the specified domain.
Note – we review the process of creating the required two CNAME records in the former article.
In our scenario, the 2 “DKIM CNAME” records, will include the following host’s names:
CNAME record 1#2
- Host = selector1._domainkey
- Points to => selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com
CNAME record 2#2
- Host = selector2._domainkey
- Points to => selector2-o365pilot-com._domainkey.o365info2.onmicrosoft.com
Note – in case that you need to get more information about this specific host’s names whom we use in our scenario, and the PowerShell command that we use for getting the required host names for a specific domain; you can read the following article.
Our task is to verify that when the external mail server gets E-mail send from our organization recipient; he will manage to complete the DKIM verification process.
- We need to verify that “External mail server,” can address public DNS server, which contains information about our domain name (com in our scenario). The external mail server will send a DNS query, looking for information about the “logical name” of the DKIM selector that appears in the outbound E-mail.
- Verify that the external mail server DNS query, will successfully be redirected to the “real” Host name of the Office 365 DKIM selector.
- Verify that the external mail server successfully gets the value of the Public key that is stored within the TXT record.
Verifying the information from the DKIM CNAME records in an Office 365 environment
Step 1#2 | How to verify that the two DKIM CNAME records were successfully published + the CNAME “redirect” process is successfully implemented?
In our scenario, the “logical” host name – “selector1._domainkey.o365pilot.com , should redirect DNS queries to the Office 365 DKIM selector
“real” host name- selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com.
To verify this “Flow” we will simulate a DNS query.
Technically speaking, there are many methods and free web-based tools, that enable us to verify information about DNS records such as a CNAME record.
In our example, I will use the MXTOOLBOX site, for verifying information about the DKIM CNAME record that we publish.
To perform a CNAME look, we will use the following link – MXTOOLBOX CNAME record lookup
To verify that our CNAME record was successfully published, and in addition, perform the required “redirection,” we will need to provide the “first part” of the CNAME record.
In our specific scenario, the host name is – “selector1._domainkey.o365pilot.com.
In the following screenshot, we can see that the test complete successfully.
In the result’s pen, we can see that the “CNAME redirection” process, was successfully completed.
The query for the specific host name whom we provide in the former step, was “redirected” to the Host name – selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com.
Step 2#2 | How to verify the “content” of the Office 365 DKIM text record that represents our public domain name.
In this step, we want to verify if the Office 365 DKIM text record, that represents our public domain name, includes the required information – the DKIM Public key value.
To be able to perform this test, we need to know the Host name of the “real Office 365 DKIM selector” host name.
In this scenario, we query the public DNS about the content of a “TXT DNS record.”
To perform a query about a TEXT record, use the following link – MXTOOLBOX TXT record lookup
In our scenario, we look at a TXT record that uses the following host name:
In the following screenshot, we can see the results.
The results include the information that is “stored” in the TXT record.
In our case, the Office 365 TXT record stores the Public key of the Office 365 DKIM selector, that represent our domain name.
Additional methods for verifying DKIM DNS records
In this section, I would like to review more “sophisticated” test options, that are offered by the MXTOOLBOX site.
Versus the “tests” that we review in the former section, MXTOOLBOX includes a “dedicated tool” that we can use for testing a DNS record that was created for publishing DKIM infrastructure.
When using the DKIM records lookup, we will need to provide:
- The domain name that uses DKIM services, in our example – com
- The host name of our DKIM selector in our example – selector1
Notice that the DKIM record lookup tool is “Smart enough” to complete by himself all the rest of the information.
For example, the DKIM record lookup tool “know” that the FQDN of DKIM host record includes additional “parts” such as the “reserved name” – ._domainkey” and the domain name suffix that needs to be added to the host name.
In the following screenshot, we can see the result
We can see that the DKIM record lookup tool manages to “locate” the DNS record of the DKIM selector that “represent” the o365pilot.com domain.
In additional, the “CNAME redirection” process was successfully completed and in the “result page,” we can see the content of the Office 365 TXT record that included the value of the public DKIM key.
Attached link to additional web-based tools that you can use for validating the DKIM DNS records that represent your domain name:
The next article in the current article series
Now it’s Your Turn!