This article covers the SPF and DKIM authentication processes for M365 and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.
TABLE OF CONTENTS
- Configuring DKIM authentication for your M365 emails
- Adding the M365 DKIM keys in Enforce
- Enabling Office 365 DKIM signing
- Configuring SPF authentication for your M365 emails
- Enable SPF alignment in M365 for your domain
Configuring DKIM authentication for your M365 emails
1. Sign in to Office 365 using your admin account and choose Admin.
2. Once in the Admin center, expand Admin centers and choose Exchange.
3. Go to protection > dkim
4. Select the domain for which you want to enable DKIM and click on Enable. Repeat this step for each custom domain.
Note: If you haven't created the relevant CNAME records, you will need to do so as per these instructions here.
Creating the Office 365 DKIM records
When you provision a new domain name in Office 365, you will need to create two CNAME records for it so that it points to your initial domain.
The example below is set for example.onmicrosoft.com as the tenant domain in M365.
After example.onmicrosoft.com is provisioned in M365, you will need to publish the two CNAME records so that your domain example.com points to example.onmicrosoft.com:
Note: Please pay close attention to the domainGUID which does not use a full stop "." but a hyphen "-" instead.
The CNAME record value syntax will also pop up when you click on Enable DKIM from your Office 365 admin center.
The two CNAME records are needed so that Microsoft will rotate the two keys for added security.
Adding the M365 DKIM keys in Enforce
1. Please go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM keys.
You can find more detailed information on how to add a DKIM key in Valimail Enforce here.
Enabling Office 365 DKIM signing
Once you have added the CNAME records (two per domain) in the Valimail Enforce platform, Office 365 DKIM signing can be enabled through the Office 365 admin center.
Configuring SPF authentication for your M365 emails
Once you establish that Microsoft Office 365 is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.
We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.
You may notice that M365 emails are not authenticated via SPF, even after you have added M365 to your domain's configuration. This is likely caused by M365 not sending SPF aligned-mail and can be corrected by making sure SPF alignment for your domain has been turn on in M365.
Enable SPF alignment in M365 for your domain
You can find out more details on how to make sure SPF alignment is enabled for your domain in M365, here.
As always, if you have any questions, please don't hesitate to submit a ticket.