Setting up DKIM on Exchange 2013 and Exchange Online Hybrid
Today I finally bit the bullet and decided to configure DKIM on our hybrid Exchange environment. It was a lot easier than I thought it would be initially and I wanted to give an overview of how I did it and to clear up a misconception I had going into it.
Misconception:
You can only have one DKIM TXT record in your DNS and therefore need to have the same key pair in the on-prem and online environments: False!
If you use selectors(search for "selector"), you can have many DKIM TXT records and, many DKIM public/private key pairs.
How to enable DKIM:
I want to point out here that the following instructions are not unique to a Hybrid environment, you could do the On-Prem instructions if that is all you run and vice-versa for Online.
Exchange Online
- Login to the exchange Admin Centre and click on Protection on the left.
- Select the domain you want and click Enable on the right. This will throw an error saying that you need to create some CNAME records, select the text from that message by starting with some text that is not in the error message and copy it all to notepad. Two domain names in here are of interest we'll call them selector1 and selector2.
- Create two new CNAME records:
Host | Value |
---|---|
selector1._domainkey |
<selector1> |
selector2._domainkey |
<selector2> |
Replace
<selector1>
with the appropriate selector you took from the error message.
- You will have to wait a while for the DNS to propagate. You should also refresh the Exchange Admin Centre page while you wait and then try to enable DKIM again. If it throws the error, wait longer and refresh the webpage again.
Exchange On-Prem
Exchange 2016 and below don't come with DKIM signing out of the box, and there are plenty of paid solutions to this problem. Thankfully though I found a great, open source project on GitHub that is free and works with very little configuration! DKIM Exchange Signer is what I used. The install instructions are pretty basic; I did an Online Install, then configured it using the GUI. You add the domain you want to sign, add a selector, generate a new key, and create the suggested DNS record. Once you save the config, it is live.
Testing
Once you have configured all of this, you can check the config works by sending an email to mailtest@unlocktheinbox.com, or by sending an email to your personal Gmail account and checking if a message you received is encrypted. You will need to send an email from each environment you have configured.