Lukas Beran
Lukas Beran

Welcome to my blog! If you're looking for tutorials, hints or tips for IT, you're right here. You will find mostly articles on Microsoft products and technologies - operating systems, servers, virtualization, networks, management, but also the cloud. Sometimes I add some other interesting things.

January 2016


Signing outgoing messages in Office 365 using DKIM

Lukas BeranLukas Beran

One of the basic email problem is that everybody can use any email address even is he/she is not an owner of this address or the domain. DKIM is similar to SPF (Sender Policy Framework) but has one important advantage – when you forward a message, SPF validation fails, because the message is sent by another mail server than is specified in MX record. And this forwarded message can be marked as a spam.

DKIM (DomainKeys Identified Mail) is a mail signed a domain key. This technology allows you to sign headers of all outgoing messages. Thanks to this technology recipient can validate if the message was sent by the authoritative (trusted) mail server. Validation of DKIM is possible via public key which is added to the sender domain. And this is the reason why you don’t have a problem when you forward the message. Because SPF works with specific IP addresses of mail servers, but DKIM signs a header of a message when the message is created (sent from the authoritative mail server) and this signature remains with the message even if the message is forwarded and the signature can be validated from the public key in the domain. So DKIM does not work with an address of your mail server, but works with keys in your domain. In the signed message you can see DKIM-Signature in your header.

Adding CNAME records to DNS

First you need to add two CNAME records to your domain

<domainGUID> is a name from the MX record before For example my MX record points to, so <domainGuid> is  lukasberan-cz.

<initialDomain> is a name by which you have signed to Office 365. In my case it’s

My DNS record will look like:

But this example does not contain a name of my domian. We ca add the name behind  selector1._domainkey, so

If you have more domains in your tenant, you need to create these two records for every domain. Because I have also domain in my tenant, I need to add the records also for this domain. Final version of DNS records is:

Activate DKIM signatures

After we have added CNAME records, we need to activate the signatures. For the activation we need PowerShell because by the time of writing this article activation from Portal is not available..

First we need to allow running PowerShell scripts. From admin PowerShell run:

Now we can sign-in to Office 365. First we save our credentials:

To the sign-in windows enter your Office 365 admin credentials.

Now we start a new Office 365 session:

And now we can import the session:

Now we can setup DKIM signatures:

We should see:

Using the same approach we setup signing for all domains in our tenant.

We can now validate the result from Office 365 portal. Go to Admin – Exchange and Security – dkim where you should see all domains and DKIM state.

In a header of your messages you should see info about DKIM test and the DKIM signature.

My primary focus is the security of identities, devices and data in the cloud using Microsoft services, technologies and tools.

Comments 0
There are currently no comments.