asked on

I'm trying to successfully setup DKIM email signing for my Office 365 domain

Hello - I'm trying to successfully setup DKIM email signing for my Office 365 domain, and may need some help with this. I'm reading online how to do it, but its left me with a couple questions so far, and thought I'd reach out to the experts. 1st question is when I came to the page on my Tenant account for DKIM (policies&rules\threat policies\DKIM), and clicked on my domain I want to enable on (LACO.COM), it shows a "Rotate Keys" button instead of "Create keys". Does this mean I've somehow already generated a key on the domain, but its just not enabled? Following this - if I use the "Rotate Keys" button, will it let me enter a new private key for the domain through the site? or do I need to use the Exchange Powershell to do this? Other question is - when I went to toggle the switch in there to "ENABLE", it states "Cname records do not exist. Please create cname records first, before enabling DKIM". So it gave me the correct records to create, and I just added them in my DNS for the domain - the thing I am wondering about is the records Microsoft gave me have the ORIGINAL domain name in them, which was their "onmicrosoft.com", which I changed to a different name for the company, 2 years ago. Let me explain further. Our tentnat shows "Laco.com" for the domain name. When I click INTO that domain, it then gives me a CNAME record instruction of "Host Name : selector2._domainkey Points to address or value: selector2-laco-com._domainkey.lacomarkal.onmicrosoft.com ". I don't see "LACO.COM" in there - is that a problem? Will these records not work, since they don't say "Laco.com"? Or does that not matter?

Thanks for your help.

Damian

M A

Hi Damian,
You have to login to EXO Powershell and generate the key.
Then enable it
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide

DEMAN-BARCELO (MVP) Thierry

: selector2-laco-com._domainkey.lacomarkal.onmicrosoft.com

You name "laco.com" is represented by "laco-com" in this redirection.
This record (CNAME) is created in your domain zone "Laco.com".

But all that is correct and normal.

So, these records will work. And each different messaging domain that you could use will need 2 specific records pointing to OnMicrosoft.com

David Favor

Trick.

First start by using a Mail Relay, like MailGun or SMTP2Go.

This way you'll have a working system in a few minutes.

Then drop back to getting DKIM working... which can be a bit complex...

Damian Gardner

ASKER

Sorry for my delay. I'm just circling back now, and appreciate everyone's comments and suggestions. Will try these and circle back again soon. thank you!

Damian Gardner

ASKER

Ok - so I guess what I'm expecting to see in the article but not seeing it is where is the "private key" set for the signing server? I know how to generate the public key and that I have to put that in a TXT record in my DNS. but how to I see or change my private key?

Damian Gardner

ASKER

Hey guys - I've read the article sent by MAS. Here's a statement from it: "In basic, a private key encrypts the header in a domain's outgoing email. The public key is published in the domain's DNS records, and receiving servers can use that key to decode the signature. " What I'm having trouble with is do I need to generate this private and public key and manually insert those into my Office 365 and also DNS? I assume that I do. I just don't see ANY examples of what those keys look like and what commands generate them. Do you see it? what am I missing?

ASKER CERTIFIED SOLUTION

M A

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Damian Gardner

ASKER

Thankd for your help MA. It doesn't seem to like the command. I'm researching the command online, but wanted to respond back to show you what the result of the command is:

PS C:\Users\serviceaccount> validate-dkimconfig -domain laco.com
validate-dkimconfig : The term 'validate-dkimconfig' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ validate-dkimconfig -domain laco.com
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (validate-dkimconfig:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Damian Gardner

ASKER

Looks like maybe I need to load this function first?

M A

Did you connect to EXO Powershell?

Damian Gardner

ASKER

yes - I tested it with "get-mailbox" and I see all my mailboxes in the cloud. when I issue that command in the same PS window, it doesn't find it. I've since downloaded the script I found on line named "Validate-DkimConfig.ps1 " but am trying to figure out how to make it recognize the file as a "function". so far, it still fails.

Damian Gardner

ASKER

I'm reading the following under this page: https://www.verboon.info/2019/01/how-to-enable-dkim-in-office-365/

Gather required settings for DNS

To enable DKIM we must add two CNAME records to DNS, we use the Validate-DkimConfig cmdlet to provide us with the detailed information we must set in DNS
Load the functions included in validate-dkimconfig.ps1 and then run validate-dkimconfig as shown below.

PS C:\temp> . .\Validate-DkimConfig.ps1PS C:\temp> validate-dkimconfig -domain verboon.online

How do you load a function?

Damian Gardner

ASKER

I have the file sitting on my local machine that I'm tied into Exchange Online in the Temp directory - it shows "function" in front of the file name...

PS C:\temp> dir *.ps1

Directory: C:\temp

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/13/2021 12:58 PM 8421 function Validate-DkimConfig.ps1

PS C:\temp>

Damian Gardner

ASKER

Looks like we're maybe stumped

David Favor

Aside: Sigh... Likely many will have... a different opinion...

DKIM signing is a bear + shortly... gazing deeply into my geekerize crystal ball... I foresee dual signing - RSA1024 (never RSA2048) + ED25519 - will be required for best delivery/inboxing.

https://rspamd.com/doc/quickstart.html provides a very good starting point, so get this working using an open source base like OpenSMTPD + RSPAMD first... which will give you a working, dual/multi-signing system in a few hours.

Once your have this working, so you can deliver/inbox all your email...

Then jump into the pit... mud wrestling with Exchange to... attempt... getting the same type of system working...

Damian Gardner

ASKER

Ok 0 thanks for that, David. Seems like I was close :) Just couldn't figure out how to get that PS1 function to be recognized by PowerShell, is what it came down to. You wouldn't kow how to load custom scripts in PowerShell, would you?

Damian Gardner

ASKER

oops - typo there. ignore the "0"

Damian Gardner

ASKER

Made some progress. Figured out that in order to load the functions in the script, you have to execute this first:

>. .\Validate-DkimConfig.ps1

That loads the functions, so that the next command will work:

>validate-dkimconfig -domain Laco.com"

Then is gave me results. Tells me "Public Key in TXT Entry selector2-laco-com._domainkey.lacomarkal.onmicrosoft.com needs to be republished..."

So I created what I believe to be the correct TXT entry in DNS and now have to let it propagate for a few hours and see if it all works now. Will repot back the results soon.

Thanks

David Favor

Tip: Never trust local DKIM validation.

Only use an external validator, so you're sure you have the same... view of DNS a real external Mailbox Provider will have.

Also, external validators only validate DNS records.

They do not, nor can they, ever validate your DKIM signing is actually working.

The only way to actually test if your DKIM DNS + signing is correct, is to use an email based verifier.

https://www.experts-exchange.com/questions/29219172/DKIM-not-authenticated.html provides details about using the Port25 verifier.