Office365 DKIM and DMARC configuration

DKIM and DMARC are used to prevent spoofing of the domain name by spammers. Configuring it in Office365 is quite easy, but must be done manually if you use a custom domain (so not the standard .onmicrosoft.com). I assume, that the standard DNS configuration including the SPF record is already done, as they are set automatically or at least validated during the setup of a new domain.
To configure the DKIM and DMARC records, you just need to add a few DNS record and enable it in Exchange Online:

Step 1: Enable DKIM

Go to Exchange Admin Center and open dkim which you can find under protection. Select your domain and press “enable”:

You’ll see that it tells you that the CNAME record does not exist. It also shows you which records you have to add. In my case, I configure it for the domain reiter.bz and therefore, the CNAME records are:

TypeHostValueTTL
CNAMEselector1._domainkeyselector1-reiter-bz._domainkey.reiterits.onmicrosoft.com3600
CNAMEselector2._domainkeyselector2-reiter-bz._domainkey.reiterits.onmicrosoft.com3600

Wait a while and press enable again. Once it is enabled, you can also click “rotate” which activates rotation of DKIM signatures.

Step 2: Configure DMARC

To enable DMARC (Domain-based Message Authentication, Reporting and Conformance), just add another DNS entry:

TypeNameValueTTL
TXT_dmarcv=DMARC1; p=reject; pct=100; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected]3600

This entry tells receiving servers what to do with email that fail SPF and DKIM checks. It consists of a few parameters:

  • v is the version tag and value is DMARC1
  • p Policy to apply to email that fails the DMARC test. Values are: none (no action, just collect the data), quarantine (its up to receiver if it moves such mails to spam, quarantines it or ignores it), reject (do not accept this mail)
  • pct is percentage of mails which the DMARC policy covers
  • rua reporting uri to send aggregated feedback (xml file) to.
  • ruf reporting uri to send forensic reports to.

Step 3: Verify

To verify if all your settings are correct, you can use:
DKIM Check: https://mxtoolbox.com/dkim.aspx (selector is “selector1” or “selector2”)
DMARC Check: https://mxtoolbox.com/DMARC.aspx

and additionally, send an email e.g. to google, live.com or whatever you want and check the header. This header should contain something like:
dkim=pass header.d=reiter.bz; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=reiter.bz;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=…

Additional information

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *

About
about armin

Armin Reiter
Blockchain/Web3, IT-Security & Azure
Vienna, Austria

Reiter ITS Logo

Cryptix Logo

Legal information