Microsoft 365 uses DomainKeys Identified Mail (DKIM) to ensure that the destination email system trusts messages sent outbound from your custom domain through public-key cryptography.
Once you have published the CNAME (Canonical Name) record in your DNS panel, you are ready to enable DKIM signing through Microsoft 365.
You can do this either through the Microsoft 365 Admin Center or by using the PowerShell.
Windows PowerShell needs to be configured to run the script, and by default, it is not. When you try to connect you will get the following error.
“Files can not be loaded because script execution is disabled on this system.
Please provide a valid certificate with which to sign files.”
When you do not get an option to enable the DKIM signature from the admin center, then you just need to turn it ON by running the PowerShell command.
All Powershell scripts required, which you install from the Internet, are signed by a trusted publisher. Run the following command in an advanced Windows Powershell window (a Windows PowerShell window that you open by selecting Run as administrator):
On your local computer, open Windows and run the following command.
1) Set-ExecutionPolicy -Scope:CurrentUser -ExecutionPolicy:RemoteSigned
2) $UserCredential = Get-Credential
In the Windows Powershell Credential Request dialog box, type Microsoft 365 admin id and password, and then click OK.
2) Run the following command.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
To enable the DKIM signing for your custom domain by using the powershell
3) Run the following command:
New-DkimSigningConfig -DomainName surajb.com -Enabled $true
Note the surajb.com should be replaced by actual your tenant domain (onmicrosoft domain) initially. Where a domain is the name of the custom domain that you want to enable DKIM signing for.
4. Go to protection --> dkim
5. Select the domain for which you want to enable DKIM and then, for the sign
message for this domain with the DKIM signature, select Enable.
Repeat this step for each custom domain.
Record Type => CNAME
Host name: selector1._domainkey
Points to address or value: selector1-surajb-com._domainkey.surajb.onmicrosoft.com
TTL:3600
Host name: selector2._domainkey
Points to address or value: selector2-surajb-com._domainkey.surajb.onmicrosoft.com
TTL: 3600
The reason behind that the two CNAME records is that Microsoft rotates the two keys for added security.
The Domain which does not use a full stop. ``` but a dash "-" instead.
This is taken from the MX record of a custom domain.
Enable DKIM signature Once you have added the CNAME record (two per domain),
the DKIM signature can be enabled using the Microsoft 365 Admin Center or Windows Powershell.
๐๐Thank you for reading the blog, please do like, share & share your thoughts in the comment section.
Good post, likewise can have DMARC and SPF should be. none/quarantine/reject, which will be the best of the 3.
ReplyDeleteThank you NeelK, yes firstly you have to add the SPF records on the DNS panel, then DKIM, and then DMARC records
Deleteas according to your choice, which you want to add like, none/quarantine/reject, as per my suggestion reject option is best for rejecting the spoofing mail