Office 365 uses the tenant domain to manage the DKIM signing. So that is the unique onmicrosoft. com domain that each tenant chooses at signup. DKIM is enabled by default on .onmicrosoft.com but not, of course, for the custom domains.
Implement DKIM for custom domain in Office 365
To implement DKIM for custom domain in office 365 we need to create two CNAME records in the public zone and then enable DKIM for that specific domain in Office 365 Portal.
Before we are able to create the records, we needs to know what value we need to type in. Office 365 admin center is generating this information for us.
We just connect to https://protection.office.com with a Global Admin account or Exchange Online Admin account then select Threat Management -> Policy -> DKIM
Click on the custom domain where you want to enable DKIM and click on ENABLE. Once done, you will receive a warning message which will tell you that those two CNAME records are not created. There you will see the info about what to type and how to create those CNAME records.
Once you know that you will then login to your external DNS and create those two CNAME records. Here a concrete example of how to do it:
Remember that DNS replication can take up to 24h worldwide (usually is much less..).
When enabled the result will be the following:
Implement DMARC for custom domain in Office 365
Once we have SPF and DKIM in place we need to publish DMARC policy in DNS and this is just a TXT record.
DMARC is using tags to tell the email receiver what to do with messages that fail DMARC authentication.
- v = This is the version tag that identifies the record retrieved as a DMARC record. It’s value must be DMARC1 and be listed first in the DMARC record
- p = This indicates the policy you would like the receiver system to apply when your email fails DMARC.
- none – no action is taken, just data collection for reporting
- quarantine – mark as high-confident spam (usually quarantined)
- reject – discard the message received (use it carefully and after testing!).
- pct = The percentage of messages to which the DMARC policy is to be applied
- rua = This tag lets receiver system know where you want aggregate reports to be sent. Aggregate reports provide visibility into the health of your email program by helping to identify potential authentication issues or malicious activity.
- ruf = This tag lets receiver system know where you want your forensic (message-level) reports to be sent.
On your custom domain external DNS create new TXT record and for values type in
- Name: _dmarc
- Type: TXT
- Value: v=DMARC1; p=quarantine; pct=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com
To verify everything is correctly configured, you can use MxToolbox doing the MX lookup for your domain, the result should be the following:
Thanks for your help to reduce the SPAM in our mailboxes!! 🙂