Protecting Exchange Online Mail With DKIM

DomainKeys Identified Mail is a security standard for email which leverages public and private certificates to secure the transit of mails by signing them as they leave the source environment. The recipients can then verify the sender by looking up the public key via DNS lookup. Having DKIM set up for your mail domains goes a long way towards protecting your domain from being used in Phishing/Spoofing attacks.

To set up DKIM on any mail system requires a good deal of setup including key hosting, IIS configuration, firewall rules and DKIM addons or plugins for different mail systems. In Exchange Online, a lot of the heavy lifting around DKIM has been done for us by Microsoft. We leverage our tenant name (“Onmicrosoft” Domain) as the default signing domain and redirect our custom domains back to that.

Setting Up DKIM in EOL

Setting up DKIM for your custom domains in Exchange Online is very straightforward. To enable DKIM functionality for a domain, first run the below cmdlet in the Exchange Online Management Shell to add the functionality.

New-DkimSigningConfig -DomainName <DomainName.com> -KeySize 2048 -Enabled $True

This will give you an output of two CNAME records to configure. A DKIM record for Exchange Online will look like the below in the public DNS of your custom domain:

Record TypeHost NameValueTTL
CNAMEselector1_domainkeyselector1-domain-com._domainkey.clouddomain.onmicrosoft.com3600
CNAMEselector2_domainkeyselector2-domain-com._domainkey.clouddomain.onmicrosoft.com3600

Once the records are in place, the DKIM configuration can be found in the ATP Policy section of the Security & Compliance Center, under ‘Additional Policies’ – ‘DKIM’.

Here we can select our domain and select ‘Enable’ to turn on DKIM signing for the domain, easy! Note that DNS may take a while to replicate so we may need to wait a while for this to be detected and enable successfully.

We can also manually rotate the signing keys at intervals from this page.

DKIM is a great security measure to protect your email domains from being spoofed. Along with DKIM, make sure your SPF and DMARC records are up to date to provide your recipients with the best possible information about your source environment. If you have alternate mail sources, such as independent relays, make sure to factor them into your DKIM configuration also.

Finally, ensure that your mail system, whatever it may be is inspecting the SPF, DKIM and DMARC of inbound mails and taking appropriate actions when these policies arent met!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s