Introduction
DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain, such as speakeasy-aphasia.org.uk. Without correct configuration, emails sent by Speakeasy could get rejected as SPAM. This article describes how DKIM and SPF was configured for Speakeasy.
Configuration
Obtain Keys
Navigate to:
https://security.microsoft.com/authentication?viewid=DKIM
Click on a domain for which DKIM is to be enabled – in our case it was speakeasy-aphasia.org.uk.
Click “Create DKIM Keys” button. A screen will appear containing some CNAME records
Copy these keys using the Copy button.
Configure DNS records
Login to our web address provider, FastHosts (details are in BitWarden)
Navigate to Domain Names….speakeasy-aphasia.org.uk…DNS
Add the keys that were copied ion the previous step as CNAME records –
Domain: Speakeasy570.onmicrosoft.com
Host Name : selector1._domainkey
Points to: selector1-Speakeasy570-onmicrosoft-com._domainkey.Speakeasy570.onmicrosoft.com
Host Name : selector2._domainkey
Points to: selector2-Speakeasy570-onmicrosoft-com._domainkey.Speakeasy570.onmicrosoft.com
Domain: speakeasy-aphasia.org.uk
Host Name : selector1._domainkey
Points to: selector1-speakeasyaphasia-org-uk02c._domainkey.Speakeasy570.onmicrosoft.com
Host Name : selector2._domainkey
Points to: selector2-speakeasyaphasia-org-uk02c._domainkey.Speakeasy570.onmicrosoft.com
NOTE: Configure just the second of the above domains in FastHosts (the first one is not a FastHosts domain, so it doesn’t need adding)
Check DKIM Configuration
Go back to the DKIM page for each of the domains and click “Enabled”. speakeasy570.onmicrosoft.com should return without an error as it should already be configured by Microsoft.
Repeat for speakeasy-aphasia.org.uk – an error will appear until the CNAME records have been propagated – keep trying periodically.
DMARC configuration
Follow the article given below.
https://learn.microsoft.com/en-gb/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide
Note: configuration is similar to DKINM, except TXT records need to be created in FastHosts rather than CNAME records.
Follow the guidelines regarding a gradual transition from “p=none” to “p=reject” for any domains other than the onmicrosoft.com domain.