Shaun Ewing
Shaun Ewing

This is shaun.net — the personal site of Shaun Ewing. I write about technology, travel, and whatever I find interesting.

Shaun Ewing
Author

Share


Shaun Ewing

DKIM signing in Office 365

Shaun EwingShaun Ewing

This week I came across a post from Terry Zink (http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx) on how to activate DKIM signing for outbound email messages in Office 365.

I've been waiting for this feature for quite some time and was keen to get it going for both my personal email (on shaun.net) and my business email (on ewing.net.au).

To get started the first thing I needed to do was create two CNAMEs in the DNS zone for shaun.net. This provides two DKIM key selectors - which allows for automatic key rotations.

The records that I needed to create were:

selector1._domainkey.shaun.net. CNAME selector1-shaun-net._domainkey.ewn.onmicrosoft.com
selector2._domainkey.shaun.net. CNAME selector2-shaun-net._domainkey.ewn.onmicrosoft.com
The "shaun-net" is the domain GUID and can be retrieved from the MX record for your domain. Mine for example looks like:
shaun-net.mail.protection.outlook.com
I use AWS Route53 to host my DNS, so adding the records was as follows: The second step was to enable DKIM signing on my domain. This isn't yet available in the Office365 console but can be done using Powershell with Exchange Online. The command I executed was:
New-DkimSigningConfig –DomainName shaun.net –Enabled $true
The output was as follows:
Domain    Enabled
------    -------
shaun.net True

Once this was done I went to the Exchange Admin Center under Protection → DKIM. Here you can see that it has been enabled successfully.

With this in place I sent a message to my Gmail account and checked the headers for successful DKIM validation. Here it is!

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of shaun@shaun.net designates 104.47.125.134 as permitted sender) smtp.mailfrom=shaun@shaun.net;
       dkim=pass header.i=@shaun.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaun.net;
 s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=ukfgopG/NCPVHnV39aUVwCgP/uGi8cmejAx0fLDSQsQ=;
 b=xqB/OODGfsE13tQN6xjrxrXHHjP6nTTqXWxnA2EZVFitABHh6MZ+zllm9YCkPi4bA5HS92nV8qmURi3YwEYnlRVXG4N6r7PPmPAZ1JZPMf985pmbp0uKjQcQqR0p/5hj2Essz9pgU9vGZlLx4jpU0ixn+KIfo2ISJEx9x6TABuE=

DKIM Outbound is still showing as rolling out on the Office 365 Roadmap so if this doesn't work for you, your account may not have been activated to use this feature yet. Nonetheless it's a very welcome feature and I'm pleased to see it was relatively easy to setup.

Shaun Ewing
Author

Shaun Ewing

Comments