Wednesday, December 16, 2015

Office 365 DKIM Going Live

DKIM signing for outbound messages has been available (with some issues) in Office 365 for a couple of months now.  It is now beginning to roll out into standard release tenants in production, and this post will attempt to break down what this means.

For those who are Office 365 (Exchange Online) Admins, and aren't familiar with SPF, DKIM and DMARC, I recommend referencing Terry Zink's blog.  In my view, this is the best practice.

DKIM Goes Online

Exchange admins can check the current status of DKIM in their tenant through the Get-DkimSigningConfig cmdlet.  Note that if any results return, then keys have been setup for the listed domain(s).  It will return blank if nothing has been setup in a tenant.

In my experience, the primary sending domain is now set to Enabled.  The other domains in my tenant were configured with key pairs generated, but the domains were not yet enabled because CNAMEs were not found in DNS.

The result is that all messages coming from my O365 domain are now signed with DKIM!  My test tenant as well as Gmail give me a Pass for DKIM evaluation, even though the envelope.from domain (vanity domain) is not yet enabled.


I have not yet seen any issues, but there is word that some automatic replies such as OOF messages can fail DKIM evaluation by some services.  As I understand it, this is being worked on.