How DKIM works in Microsoft 365 – digital signing for email security
DKIM (DomainKeys Identified Mail) in Microsoft 365 is a security feature that digitally signs outgoing email, verifying that the message has not been altered during transmission. By combining DKIM with SPF and DMARC, receiving servers can ensure that the email really comes from the company’s domain and has not been tampered with. This reduces the risk of phishing, spoofing and delivery problems.
Background and overview
DKIM is an email authentication standard that protects your brand and improves delivery reliability. In Microsoft 365, DKIM is used to digitally sign messages. This allows receiving servers to verify that the content has not been tampered with.
What is DKIM?
DKIM uses cryptographic keys to sign the email headers. This allows the recipient to verify that the message is unaltered and has indeed been sent from the specified domain.
How DKIM works in practice
Outgoing emails are signed with a private key stored in Microsoft 365. Receiving servers retrieve the public key from DNS and verify the signature. This ensures that the message is authentic.
Advantages of DKIM
DKIM reduces the risk of email spoofing and phishing, strengthens domain reputation and improves the deliverability of legitimate email.
DKIM together with SPF and DMARC
Along with SPF and DMARC, DKIM contributes to robust email authentication that verifies both sender and message integrity.
Activation in Microsoft 365
Administrators can enable DKIM via the Microsoft 365 Security & Compliance Center or PowerShell. The domain must have correct DNS records for the public key.
Monitoring and reporting
Administrators can use DMARC reports to monitor DKIM signatures and identify problems with email authentication or unauthorized senders.
Common mistakes
Common errors include incorrectly configured DNS records, incomplete activation for all domains, or conflicts with third-party email providers.
Key points about DKIM in Microsoft 365
- Digital signature: Ensures that emails have not been tampered with during transmission.
- Verification via DNS: The receiving server uses the public key to validate the signature.
- Spoofing protection: prevents attackers from sending emails in the company’s name.
- Integration with SPF and DMARC: Creates a complete email authentication.
- Improved delivery reliability: legitimate messages reach recipients without being flagged as spam.
- Monitoring and reporting: Identifies problems and suspicious senders via DMARC reports.
Related questions
What is DKIM in Microsoft 365?
DKIM is a security standard that digitally signs emails to verify that they come from the correct domain and have not been tampered with.
How to activate DKIM?
The administrator enables DKIM via Microsoft 365 Security & Compliance Center or PowerShell and ensures correct DNS configuration.
Why use DKIM together with SPF and DMARC?
To create a strong authentication that verifies both the sender and the integrity of the message and reduces the risk of spoofing.
Can DKIM prevent phishing completely?
No, but it significantly reduces the risk when used in conjunction with SPF, DMARC and user training.
What happens if DKIM does not work?
Incorrect configuration can lead to legitimate emails being flagged as spam or not delivered.
