Monday, July 23, 2018

Configuring DKIM In Office 365

DKIM is a configuration that you can easily add to your Office 365 environment to improve the security of your custom domains.

To configure DKIM, you need to add two DNS records and then enable the setting in Office 365. Then, your outbound emails will have an encrypted portion added to their headers that a receiver can verify securely to ensure the email came from you.

You can read more about how all this works and how to configure it here:

Use DKIM to validate outbound email sent from your custom domain

What my video shows you is how to do this setup using PowerShell combined with Azure DNS. This means the DNS records for the custom domain are hosted in an Azure DNS zone and thanks to PowerShell I can do the whole DKIM configuration via a script. In fact, you can do your whole Office 365 records in Azure DNS using a single script. That’s how I do it, to save time and be more consistent.

Here are the PowerShell commands you’ll need:

$dkim = Get-DKIMSigningConfig $domain

$cname1 = $dkim.Selector1Cname

$cname2 = $dkim.Selector2Cname

$hostname1 = "selector1._domainkey"

$hostname2 = "selector2._domainkey"

New-AzureRmDnsRecordSet -Name $hostname1 -RecordType CNAME -ZoneName $domain -ResourceGroupName $res_grp -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname $cname1)

New-AzureRmDnsRecordSet -Name $hostname2 -RecordType CNAME -ZoneName $domain -ResourceGroupName $res_grp -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname $cname2)

set-dkimsigningconfig -identity $domain -enabled $true

Make sure you are connected to both Azure and Exchange PowerShell environments and that you put the custom domain in the variable $domain first. You’ll also need the Azure resource group ($res_grp) for the DNS zone as well.

Now DKIM is not the be all and end all when it comes to domain spoofing protection but having it configured helps and using a scrip to deploy it makes it much easier to implement across all your custom domains in Office 365.

You should also note the following from the above article:

If you do not enable DKIM, Office 365 automatically creates a 1024-bit DKIM public key for your custom domain and the associated private key which we store internally in our datacenter. By default, Office 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Office 365 will use its default policy and keys it creates in order to enable DKIM for your domain.

Also, if you disable DKIM signing after enabling it, after a period of time, Office 365 will automatically apply the Office 365 default policy for your domain.

Although DKIM is not mandatory for emails sent via the Internet having it enabled does help others with DKIM detection enabled to better ensure legitimate emails are received from your email. It doesn’t take long to configure and once done doesn’t require any maintenance, so best practice is to set it up and help the Internet better detect and protect against spoofing.