Verifying that the DKIM CNAME records configured properly | Office 365 | Part 9#10 5/5 (2) 7 min read

In the current article, we review to process of – how to verify the DNS CNAME DKIM records, that represent a domain hosted at Office 365.
The process of verifying the Office 365 DKIM CNAME records include three parts:

  1. Verify that the two CNAME records were successfully published.
  2. Verify that the CNAME “redirect” process is successfully implemented.
  3. Verify that we manage to access the Office 365 DKIM selector TXT record, that includes the Public Key of the Office 365 selectors.

A little about the concept of DKIM records in Office 365 environment

A quick reminder about the concept of DKIM host records in Office 365:

When we implement outbound DKIM signature in an Office 365 environment, outbound E-mail that sent to external recipients, will include DKIM signature + the “logical host name” of the DKIM selector that sign the E-mail.

in our example, the logical host name that represent the domain o365pilot.com is – selector1._domainkey.o365pilot.com.

We use the term “logical host name” because, the DKIM selector host name which appears on the E-mail message doesn’t exist!

When the “destination mail server” receives the E-mail message, he addresses a public DNS server, looking for information about the DKIM selector host name, that appeared in the mail header (“logical host name”).

The external mail server asks the DNS server if he has a TXT record, that uses the specific host name.

The DNS server include a CNAME record, that serves as a “logical router” that “route” DNS client request to “another host”.

redirect DNS queries to the Office 365 selector Host name

The DNS server “answer” is, a redirection to “another host.” In our example, the redirection message includes the host name –
selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

The “other host name” is the real host name of the Office 365 DKIM selector.

DKIM and DNS infrastructure – Office 365 scenario -01

The “mail server” addresses again the DNS server, and asks the DNS server if he has a TXT record that uses the specific host name.

In this step, the DNS sends to the “DNS client” (the mail server) the content of the TXT record, that includes the Public Key of the Office 365 selector that signed the E-mail message.

DKIM and DNS infrastructure – Office 365 scenario -02

Scenario and task description

The scenario

The domain name for which we have already activated the “outbound DKIM signing” is – o365pilot.com.

The prerequisite for enabling the outbound DKIM signing in Office 365 is – a creation of two CNAME records, that will be created on the DNS server, who hosts the specified domain.

Note – we review the process of creating the required two CNAME records in the former article.

In our scenario, the 2 “DKIM CNAME” records, will include the following host’s names:

CNAME record 1#2

  • Host = selector1._domainkey
  • Points to => selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

CNAME record 2#2

  • Host = selector2._domainkey
  • Points to => selector2-o365pilot-com._domainkey.o365info2.onmicrosoft.com

Note – in case that you need to get more information about this specific host’s names whom we use in our scenario, and the PowerShell command that we use for getting the required host names for a specific domain; you can read the following article.

The Task

Our task is to verify that when the external mail server gets E-mail send from our organization recipient; he will manage to complete the DKIM verification process.

  • We need to verify that “External mail server,” can address public DNS server, which contains information about our domain name (com in our scenario). The external mail server will send a DNS query, looking for information about the “logical name” of the DKIM selector that appears in the outbound E-mail.
  • Verify that the external mail server DNS query, will successfully be redirected to the “real” Host name of the Office 365 DKIM selector.
  • Verify that the external mail server successfully gets the value of the Public key that is stored within the TXT record.

Verifying the information from the DKIM CNAME records in an Office 365 environment

Step 1#2 | How to verify that the two DKIM CNAME records were successfully published + the CNAME “redirect” process is successfully implemented?

In our scenario, the “logical” host name – “selector1._domainkey.o365pilot.com , should redirect DNS queries to the Office 365 DKIM selector
“real” host name- selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com.

To verify this “Flow” we will simulate a DNS query.

Technically speaking, there are many methods and free web-based tools, that enable us to verify information about DNS records such as a CNAME record.

In our example, I will use the MXTOOLBOX site, for verifying information about the DKIM CNAME record that we publish.

To perform a CNAME look, we will use the following link – MXTOOLBOX CNAME record lookup

To verify that our CNAME record was successfully published, and in addition, perform the required “redirection,” we will need to provide the “first part” of the CNAME record.

In our specific scenario, the host name is – “selector1._domainkey.o365pilot.com.

How to verify that the two DKIM CNAME records was successfully published -01

In the following screenshot, we can see that the test complete successfully.

In the result’s pen, we can see that the “CNAME redirection” process, was successfully completed.

The query for the specific host name whom we provide in the former step, was “redirected” to the Host name – selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com.

How to verify that the two DKIM CNAME records was successfully published -02

Step 2#2 | How to verify the “content” of the Office 365 DKIM text record that represents our public domain name.

In this step, we want to verify if the Office 365 DKIM text record, that represents our public domain name, includes the required information – the DKIM Public key value.

To be able to perform this test, we need to know the Host name of the “real Office 365 DKIM selector” host name.

In this scenario, we query the public DNS about the content of a “TXT DNS record.”

To perform a query about a TEXT record, use the following link – MXTOOLBOX TXT record lookup

In our scenario, we look at a TXT record that uses the following host name:

selector1-o365pilot-com._domainkey.o365info2.onmicrosoft.com

How to verify the conten” of the Office 365 DKIM TXT record that represent our public domain name -01

In the following screenshot, we can see the results.

The results include the information that is “stored” in the TXT record.
In our case, the Office 365 TXT record stores the Public key of the Office 365 DKIM selector, that represent our domain name.

How to verify the conten” of the Office 365 DKIM TXT record that represent our public domain name -02

Additional methods for verifying DKIM DNS records

In this section, I would like to review more “sophisticated” test options, that are offered by the MXTOOLBOX site.

Versus the “tests” that we review in the former section, MXTOOLBOX includes a “dedicated tool” that we can use for testing a DNS record that was created for publishing DKIM infrastructure.

When using the DKIM records lookup, we will need to provide:

  1. The domain name that uses DKIM services, in our example – com
  2. The host name of our DKIM selector in our example – selector1

Notice that the DKIM record lookup tool is “Smart enough” to complete by himself all the rest of the information.

For example, the DKIM record lookup tool “know” that the FQDN of DKIM host record includes additional “parts” such as the “reserved name” – ._domainkey” and the domain name suffix that needs to be added to the host name.

Verifying DKIM record syntax and content -01

In the following screenshot, we can see the result

We can see that the DKIM record lookup tool manages to “locate” the DNS record of the DKIM selector that “represent” the o365pilot.com domain.

In additional, the “CNAME redirection” process was successfully completed and in the “result page,” we can see the content of the Office 365 TXT record that included the value of the public DKIM key.

Verifying DKIM record syntax and content -02

Additional reading

Attached link to additional web-based tools that you can use for validating the DKIM DNS records that represent your domain name:

It is important for us to know your opinion on this article

Restore Exchange Online mailbox | Article series index

Summary
Verifying that the DKIM CNAME records configured properly | Office 365 | Part 9#10
Article Name
Verifying that the DKIM CNAME records configured properly | Office 365 | Part 9#10
Description
In the current article, we review to process of – how to verify the DNS CNAME DKIM records, that represent a domain hosted at Office 365.The process of verifying the Office 365 DKIM CNAME records include three parts:Verify that the two CNAME records were successfully published. Verify that the CNAME “redirect” process is successfully implemented. Verify that we manage to access the Office 365 DKIM selector TXT record, that includes the Public Key of the Office 365 selectors.
Author
Publisher Name
o365info.com
Publisher Logo

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

One Response to “Verifying that the DKIM CNAME records configured properly | Office 365 | Part 9#10”

  1. GTFO, lost my day Reply

    I’ve never been that lost setting up DKIM. Relevant data are spread accross several posts filled with useless data and graphs. Fonts are too large, graphs too, pages are over-filled with irrelevant stuff, ….can’t you just get to the point?

Leave a Reply

Your email address will not be published. Required fields are marked *