0

We're using Microsoft 365 (outlook.office.com) for our company emails and have had DKIM set up for a while, but recently added a DMARC record. I now got a DMARC report from Google where every record has <dkim>fail</dkim> while all auth_results in it have "pass", like this:

  <record>
    <row>
      <source_ip>2a01:111:f403:260d::601</source_ip> <!-- mail-db5eur01on0601.outbound.protection.outlook.com.
 -->
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>COMPANYDOMAIN.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>SENDERDOMAIN.onmicrosoft.com</domain>
        <result>pass</result>
        <selector>selector2-SENDERDOMAIN-onmicrosoft-com</selector>
      </dkim>
      <spf>
        <domain>COMPANYDOMAIN.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

What does this mean? How do I troubleshoot why DKIM validation fails here?

When I test it by sending to dkimvalidator.com it reports "result = pass" for DKIM (and for SPF).

2 Answers 2

3
  1. You're not using outlook.com for your email. You're using Microsoft 365.

  2. You need to create a DKIM record for your verified domain. You can enable DKIM for your verified domain in the Microsoft 365 Security Admin center>Email & collaboration>Policies & rules>Threat policies>Email authentication settings.

  3. Once you enable DKIM for your verified domain you'll need to create CNAME records in your DNS based on the info generated in the Security Admin center>Email & collaboration>Policies & rules>Threat policies>Email authentication settings

2
  • Thanks. It's set up now and the DMARC reports are a mixture of pass and fail. Mostly pass, but sometimes fail - sometimes for the same sender IP! Any idea how to troubleshoot that, given that the DMARC reports give no details? (The same happens for SPF, by the way, but not "in sync" with DKIM - usually one passes while the other fails.)
    – EM0
    Commented Jan 31 at 11:33
  • 1
    Try this free tool to analyze your reports - us.dmarcian.com/xml-to-human-converter/…
    – joeqwerty
    Commented Jan 31 at 13:11
1

The mail in question fails DKIM, because it does not have any vlid DKIM signature that is hosted on the domain COMPANYDOMAIN.com. Since you are sending it from COMPANYDOMAIN.com, you need to have a DKIM record that is under COMPANYDOMAIN.com (it can be a cname to an external domain)

The requirement for the domain of the dkim to match the from, is so an spammer can not just specify their own domain name, which they fully control and thus can make dkim always pass.

You message is passing under DMARC as SPF-Only, for the message to pass, you either need a valid DKIM or a valid SPF check

1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .