This turned out to be really simple; and there are some really good tools and docs at https://dmarcian.com/
- set up DKIM DNS records
- CNAME selector1._domainkey –> selector1-{domain}._domainkey.{office365domain}.onmicrosoft.com
- CNAME selector2._domainkey –> selector2-{domain}._domainkey.{office365domain}.onmicrosoft.com
- set up DMARC DNS records
- TXT _dmarc –> correct DMARC policy
Then enable DKIM signing in the Defender portal https://security.microsoft.com
Email and Collaboration –> Policies and Rules –> Threat Policies –> Email Authentication settings
- select the domain, click on “sign messages for this domain with DKIM signatures”
It might take a while for the DNS records to propagate.
Finally test the DMARC and DKIM settings, I used the DMARC Record Checker https://dmarcian.com/domain-checker
If you end up looking to use DMARC reporting, and sending to a third party/alternate domain – you also need to set up DNS records in the receiving domain:
- set up External Domain Verification (EDV) records in DNS
- TXT {domain}._report._dmarc –> v=DMARC1
Recent Comments