Defender for Office 365 Email DKIM Signature Addition

This guide will show an administrator how to create a DKIM signature that will be registered for your owned domain.

DKIM Email Authentication

Applies to

• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com).

DKIM is one of the trios of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain.

DKIM lets you add a digital signature to outbound email messages in the message header.

When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate.

In basic, a private key encrypts the header in a domain's outgoing email. The public key is published in the domain's DNS records, and receiving servers can use that key to decode the signature.

DKIM verification helps the receiving servers confirm the mail is really coming from your domain and not someone spoofing your domain.

Microsoft-365's built-in DKIM configuration is sufficient coverage for most customers. However, you should manually configure DKIM for your custom domain in the following circumstances:

• You have more than one custom domain in Microsoft 365
• You're going to set up DMARC too (recommended)
• You want control over your private key.
• You want to customize your CNAME records.
• You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.

How DKIM works better than SPF alone to prevent malicious spoofing

SPF adds information to a message envelope, but DKIM encrypts a signature within the message header. When you forward a message, the forwarding server can away strip portions of that message’s envelope. Since the digital signature stays with the email message because it's part of the email header, DKIM works even when a message has been forwarded.

If you only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. 

The addition of DKIM reduces false positive spam reporting. 

Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF.

We recommend using both SPF and DKIM, as well as DMARC in your deployment.

DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the d= field in the header. The verifying domain, or recipient's domain, then uses the d= field to look up the public key from DNS and authenticate the message. If the message is verified, the DKIM check passes.

Role Requirements

Procedure Scope: Administrators

Required Group Membership: Admin.Security

Handbook Reference

Package: TBD

Domain: TBD

Modifies: TBD

Defender DKIM Signature Addition

1. Navigate to the DKIM Email Authentication – Microsoft Defender portal, select the domain you wish to configure with DKIM from the list.
   
2. A window will open; click Create DKIM Keys.
   
3. A message will appear asking you to add the specified CNAME records to DNS. Copy the records by clicking Copy and perform the DNS addition and publication as your DNS provider recommends.
   
4. Return to the DKIM page and reselect the domain that the CNAME records have been created for. In the window, click the Enable ribbon. If successful, the switch will turn to Enabled and outbound mail will be DKIM signed.
   

Need Assistance?