DKIM and DMARC are used to prevent spoofing of the domain name by spammers. Configuring it in Office365 is quite easy, but must be done manually if you use a custom domain (so not the standard .onmicrosoft.com). I assume, that the standard DNS configuration including the SPF record is already done, as they are set automatically or at least validated during the setup of a new domain.
To configure the DKIM and DMARC records, you just need to add a few DNS record and enable it in Exchange Online:
Step 1: Enable DKIM
Go to Exchange Admin Center and open dkim which you can find under protection. Select your domain and press “enable”:
You’ll see that it tells you that the CNAME record does not exist. It also shows you which records you have to add. In my case, I configure it for the domain reiter.bz and therefore, the CNAME records are:
Type | Host | Value | TTL |
---|---|---|---|
CNAME | selector1._domainkey | selector1-reiter-bz._domainkey.reiterits.onmicrosoft.com | 3600 |
CNAME | selector2._domainkey | selector2-reiter-bz._domainkey.reiterits.onmicrosoft.com | 3600 |
Wait a while and press enable again. Once it is enabled, you can also click “rotate” which activates rotation of DKIM signatures.
Step 2: Configure DMARC
To enable DMARC (Domain-based Message Authentication, Reporting and Conformance), just add another DNS entry:
Type | Name | Value | TTL |
---|---|---|---|
TXT | _dmarc | v=DMARC1; p=reject; pct=100; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected] | 3600 |
This entry tells receiving servers what to do with email that fail SPF and DKIM checks. It consists of a few parameters:
- v is the version tag and value is DMARC1
- p Policy to apply to email that fails the DMARC test. Values are: none (no action, just collect the data), quarantine (its up to receiver if it moves such mails to spam, quarantines it or ignores it), reject (do not accept this mail)
- pct is percentage of mails which the DMARC policy covers
- rua reporting uri to send aggregated feedback (xml file) to.
- ruf reporting uri to send forensic reports to.
Step 3: Verify
To verify if all your settings are correct, you can use:
DKIM Check: https://mxtoolbox.com/dkim.aspx (selector is “selector1” or “selector2”)
DMARC Check: https://mxtoolbox.com/DMARC.aspx
and additionally, send an email e.g. to google, live.com or whatever you want and check the header. This header should contain something like:
dkim=pass header.d=reiter.bz; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=reiter.bz;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=…
Additional information
- Use DMARC to validate email in Office 365: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email
- Use DKIM to validate outbound email: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email
No responses yet