asked on
I'm trying to successfully setup DKIM email signing for my Office 365 domain
Hello - I'm trying to successfully setup DKIM email signing for my Office 365 domain, and may need some help with this. I'm reading online how to do it, but its left me with a couple questions so far, and thought I'd reach out to the experts. 1st question is when I came to the page on my Tenant account for DKIM (policies&rules\threat policies\DKIM), and clicked on my domain I want to enable on (LACO.COM), it shows a "Rotate Keys" button instead of "Create keys". Does this mean I've somehow already generated a key on the domain, but its just not enabled? Following this - if I use the "Rotate Keys" button, will it let me enter a new private key for the domain through the site? or do I need to use the Exchange Powershell to do this? Other question is - when I went to toggle the switch in there to "ENABLE", it states "Cname records do not exist. Please create cname records first, before enabling DKIM". So it gave me the correct records to create, and I just added them in my DNS for the domain - the thing I am wondering about is the records Microsoft gave me have the ORIGINAL domain name in them, which was their "onmicrosoft.com", which I changed to a different name for the company, 2 years ago. Let me explain further. Our tentnat shows "Laco.com" for the domain name. When I click INTO that domain, it then gives me a CNAME record instruction of "Host Name : selector2._domainkey Points to address or value: selector2-laco-com._domainkey.lacomarkal.onmicrosoft.com ". I don't see "LACO.COM" in there - is that a problem? Will these records not work, since they don't say "Laco.com"? Or does that not matter?
Thanks for your help.
Damian
: selector2-laco-com._domainkey.lacomarkal.onmicrosoft.com
You name "laco.com" is represented by "laco-com" in this redirection.
This record (CNAME) is created in your domain zone "Laco.com".
But all that is correct and normal.
So, these records will work. And each different messaging domain that you could use will need 2 specific records pointing to OnMicrosoft.com
First start by using a Mail Relay, like MailGun or SMTP2Go.
This way you'll have a working system in a few minutes.
Then drop back to getting DKIM working... which can be a bit complex...
ASKER
ASKER
ASKER
ASKER
PS C:\Users\serviceaccount> validate-dkimconfig -domain laco.com
validate-dkimconfig : The term 'validate-dkimconfig' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ validate-dkimconfig -domain laco.com
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (validate-dkimconfig:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
ASKER
ASKER
ASKER
Gather required settings for DNS
To enable DKIM we must add two CNAME records to DNS, we use the Validate-DkimConfig cmdlet to provide us with the detailed information we must set in DNSLoad the functions included in validate-dkimconfig.ps1 and then run validate-dkimconfig as shown below.
PS C:\temp> . .\Validate-DkimConfig.ps1PS C:\temp> validate-dkimconfig -domain verboon.online |
How do you load a function?
ASKER
PS C:\temp> dir *.ps1
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/13/2021 12:58 PM 8421 function Validate-DkimConfig.ps1
PS C:\temp>
ASKER
DKIM signing is a bear + shortly... gazing deeply into my geekerize crystal ball... I foresee dual signing - RSA1024 (never RSA2048) + ED25519 - will be required for best delivery/inboxing.
https://rspamd.com/doc/quickstart.html provides a very good starting point, so get this working using an open source base like OpenSMTPD + RSPAMD first... which will give you a working, dual/multi-signing system in a few hours.
Once your have this working, so you can deliver/inbox all your email...
Then jump into the pit... mud wrestling with Exchange to... attempt... getting the same type of system working...
ASKER
ASKER
ASKER
>. .\Validate-DkimConfig.ps1
That loads the functions, so that the next command will work:
>validate-dkimconfig -domain Laco.com"
Then is gave me results. Tells me "Public Key in TXT Entry selector2-laco-com._domainkey.lacomarkal.onmicrosoft.com needs to be republished..."
So I created what I believe to be the correct TXT entry in DNS and now have to let it propagate for a few hours and see if it all works now. Will repot back the results soon.
Thanks
Only use an external validator, so you're sure you have the same... view of DNS a real external Mailbox Provider will have.
Also, external validators only validate DNS records.
They do not, nor can they, ever validate your DKIM signing is actually working.
The only way to actually test if your DKIM DNS + signing is correct, is to use an email based verifier.
https://www.experts-exchange.com/questions/29219172/DKIM-not-authenticated.html provides details about using the Port25 verifier.
You have to login to EXO Powershell and generate the key.
Then enable it
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide