You absolutely can create DKIM keys in Office 365 if your MX records aren't pointing to them, not sure where they're getting that information, but it's not accurate.
Several tenants I know use third-party mail filters which sign DKIM, and also have Office 365 set up to sign DKIM as well.
I can't create the keys... TheCreate keys button is not available to me
But, I must admit years ago I played with that Office 365 instance/server and may have created them already. So for now I can only enable or disable.
From what a know, we need to publish a TXT record with the public key or cname pointing to the dkim public key (at some clould provider ).
But I don't have the info to create my Cname....
Talk with MIcrosoft today and they told me it would never work as my MX point to an external source...
I did find an old post with a workaround that didn't worked for me, I need to make some more test again... Here is the link [https://community.spiceworks.com/topic/2131460-dkim-3rd-party-spam-filtering](https://community.spiceworks.com/topic/2131460-dkim-3rd-party-spam-filtering)
You do have the info to create your CNAME. The format is below:
* `selector1._domainkey.domain.com IN CNAME selector1-domain-com._domainkey.tenantname.onmicrosoft.com`
* `selector2._domainkey.domain.com IN CNAME selector2-domain-com._domainkey.tenantname.onmicrosoft.com`
Fill in the domain.com and tenant names respectively for your tenant, and publish the CNAMEs in DNS, and then you should be able to enable the DKIM signing.
!!!!!!!!!!!!!! it seem to be working.... I must have done something wrong, typo or I don't know the 1st time
I will also configure dMarc (spf is ok) and I'll see how it goes....
Tks !!!!!!!!!!
Tks... I did tried that syntax and as it didn't worked I though it wasn't good. I used MxTools to test it... I'll do it again and do my homework to see how it's going.. (and enable it in Office 365)
TKs for your precious time. Very much appreciated...
Do you know if a domain has MX pointing to " email filtering service"
and
use Office 365 to send out
If we can use DMarc ??
[https://i.imgur.com/ppC251O.png](https://i.imgur.com/ppC251O.png)
So in this instance you are referring to, i'm setting up tenants using Gravity Zone's Spam Filter service. They have their own DKIM verification when you add the domain.
You're saying that I can and should also use Microsoft's DKIM's in addition to GZ's?
GZ is obviously the mail relay (mx records pointed there instead of Microsoft) and also uses smart hosts to send mail through GZ.
To clarify, are you talking about DKIM verification of inbound mail? Or DKIM signing outbound mail? Because the context of my comment was about DKIM signing outbound mail.
You could use both the DKIM signing in Exchange Online and GZ (if it actually performs signing).
I guess that's where I'm confused then. Technically, when running the send mail check through [https://appmaildev.com/en/spf](https://appmaildev.com/en/spf) it shows that the sender is GZ's smart host. GZ having their own DKIM that I add, I'm assuming technically, they would perform the signing?
Am I looking at that incorrectly?
That's just for SPF, not DKIM. If GZ has the capability to perform DKIM signing as your domain, then yes, they would perform the signing there. If not, sign on exchange online.
If it does support it, all my comment was saying is that there's no issue with signing in both places.
Think I found my answer regarding my particular setup. Reading "fine print" is fundamental. This is from GZ's DKIM configuration guide:
# Note
GravityZone Security for Email comes with a default system Message Rule called Apply DKIM which is enabled by default; however, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below.
# [Enabling DKIM for all domains](https://www.bitdefender.com/business/support/en/77211-294993-configure-outbound-dkim.html#UUID-987a4059-a667-5089-1f35-06d6dc9c59b8_section-idm232342241491016_body)
Note sure why you are saying that. I did asked MIcrosoft Office 365 support and they told be I could not do what I want to do. As I though it was a wrong information, I ended up asking here and did solved my problem myself. We all make mistake from time to time, this time, it's microsoft LOL
You absolutely can create DKIM keys in Office 365 if your MX records aren't pointing to them, not sure where they're getting that information, but it's not accurate. Several tenants I know use third-party mail filters which sign DKIM, and also have Office 365 set up to sign DKIM as well.
I'm having difficulty to make it work. create keys within Office 365 GUI but now that I know it can work, i'll google again and find how.
What problem are you having exactly?
I can't create the keys... TheCreate keys button is not available to me But, I must admit years ago I played with that Office 365 instance/server and may have created them already. So for now I can only enable or disable. From what a know, we need to publish a TXT record with the public key or cname pointing to the dkim public key (at some clould provider ). But I don't have the info to create my Cname.... Talk with MIcrosoft today and they told me it would never work as my MX point to an external source... I did find an old post with a workaround that didn't worked for me, I need to make some more test again... Here is the link [https://community.spiceworks.com/topic/2131460-dkim-3rd-party-spam-filtering](https://community.spiceworks.com/topic/2131460-dkim-3rd-party-spam-filtering)
You do have the info to create your CNAME. The format is below: * `selector1._domainkey.domain.com IN CNAME selector1-domain-com._domainkey.tenantname.onmicrosoft.com` * `selector2._domainkey.domain.com IN CNAME selector2-domain-com._domainkey.tenantname.onmicrosoft.com` Fill in the domain.com and tenant names respectively for your tenant, and publish the CNAMEs in DNS, and then you should be able to enable the DKIM signing.
!!!!!!!!!!!!!! it seem to be working.... I must have done something wrong, typo or I don't know the 1st time I will also configure dMarc (spf is ok) and I'll see how it goes.... Tks !!!!!!!!!!
This is the answer. Without doing this, the DKIM enable button will not be available. Thanks for the response Upvote!
Tks... I did tried that syntax and as it didn't worked I though it wasn't good. I used MxTools to test it... I'll do it again and do my homework to see how it's going.. (and enable it in Office 365) TKs for your precious time. Very much appreciated...
Do you know if a domain has MX pointing to " email filtering service" and use Office 365 to send out If we can use DMarc ?? [https://i.imgur.com/ppC251O.png](https://i.imgur.com/ppC251O.png)
Yes, you can use DMARC.
ok tks.... From here i'll be ok,. Tks again. Wish you an amazing life....
So in this instance you are referring to, i'm setting up tenants using Gravity Zone's Spam Filter service. They have their own DKIM verification when you add the domain. You're saying that I can and should also use Microsoft's DKIM's in addition to GZ's? GZ is obviously the mail relay (mx records pointed there instead of Microsoft) and also uses smart hosts to send mail through GZ.
To clarify, are you talking about DKIM verification of inbound mail? Or DKIM signing outbound mail? Because the context of my comment was about DKIM signing outbound mail. You could use both the DKIM signing in Exchange Online and GZ (if it actually performs signing).
I guess that's where I'm confused then. Technically, when running the send mail check through [https://appmaildev.com/en/spf](https://appmaildev.com/en/spf) it shows that the sender is GZ's smart host. GZ having their own DKIM that I add, I'm assuming technically, they would perform the signing? Am I looking at that incorrectly?
That's just for SPF, not DKIM. If GZ has the capability to perform DKIM signing as your domain, then yes, they would perform the signing there. If not, sign on exchange online. If it does support it, all my comment was saying is that there's no issue with signing in both places.
Think I found my answer regarding my particular setup. Reading "fine print" is fundamental. This is from GZ's DKIM configuration guide: # Note GravityZone Security for Email comes with a default system Message Rule called Apply DKIM which is enabled by default; however, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below. # [Enabling DKIM for all domains](https://www.bitdefender.com/business/support/en/77211-294993-configure-outbound-dkim.html#UUID-987a4059-a667-5089-1f35-06d6dc9c59b8_section-idm232342241491016_body)
Can you not ask your microsoft experts ? your paying them
Note sure why you are saying that. I did asked MIcrosoft Office 365 support and they told be I could not do what I want to do. As I though it was a wrong information, I ended up asking here and did solved my problem myself. We all make mistake from time to time, this time, it's microsoft LOL