In our first post, we went through a brief overview of DKIM and why it is an important mechanism for protecting your domain against spoofing and email-based impersonation. In this post, we will run through the process of setting up DKIM for a custom domain in an Exchange Online/Office 365 email environment. Prior to this, our emails are DKIM signed using the standard DKIM signature that comes out of the box with your default onmicrosoft.com domain, which does not protect against your custom domain ( i.e companyname.com) being spoofed.
The simplest way to set up DKIM for Exchange Online/Office 365 is via Powershell, while the official Microsoft guide indicates that it is possible to configure via the GUI, we haven’t been able to find a way to do this in the admin center. The PowerShell process consists of:
- Creating 2 Selector records
- Adding Selector records to your DNS
- Enabling DKIM on the Domain
Setting up Office 365 DKIM via Powershell
To do this you will need the Exchange Online Module which can be installed by running the following command in PowerShell:
Once the module has been installed, import the module and use the following command to connect to the exchange online module.
Once connected we have to create 2 selector records for your custom domain using the following command, in our case, the domain will be Haydrive.com – this will provide us with the 2 CNAME records we need to add to DNS.
Once we have the 2 records (using the second PowerShell command above) we navigate to our DNS hosting solution to add the 2 records to our domain’s DNS record in the following format and save.
Now that we have the selector key added to our DNS record, we can go ahead and enable DKIM for our domain. At this point, we can do this either via the Office 365 DKIM admin center ( https://protection.office.com/dkimv2) or via Powershell
Enabling DKIM via the Admin center
Navigate to the following link https://protection.office.com/dkimv2, select the appropriate domain, then use the toggle switch DKIM from disabled to enabled.
Enabling DKIM via PowerShell
To enable DKIM via PowerShell simply run the following command:
Verifying DKIM using Redsift
Now that we have DKIM enabled for our custom domain, we can now use Redsift’s DKIM tool (https://tools.redsift.com/sift/investigate) to verify that our emails are now being signed for the haydrive.com domain. Below is what this looks like, showing that our emails for Haydrive.com are now being DKIM signed.
How is your Email Security configuration?
One of the main reasons I started this blog is to provide small businesses in Edinburgh and beyond with dynamic and adaptable enterprise-level Cloud IT and Security information with a special focus on Microsoft 365. If you would like quick no strings attached email security and domain Audit, feel free to contact us for a free bespoke email security audit report.
Sources: