question

DorianEley-7672 avatar image
0 Votes"
DorianEley-7672 asked Crystal-MSFT edited

Azure Email forwarding for external domain + dkim

We need to be able to send email for xxx@externaldomain.com we also need to apply dkim This domain is already managed by the company that owns it on their Azure account, so azure won't allow us to administer it in any way or add it to domains. Is there a way to add this email for this domain and add Dkim to it? They will add whatever DNS records we need but everything i find relating to sending email for a domain in O365/azure requires authenticating we own the domain and azure won't let two different accounts manage the same domain for any services.

office-exchange-server-administration
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DorianEley-7672

Agree with Andy's suggestions below. Feel free to share your update here if any.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



0 Votes 0 ·

Hi,

I am writing to see how everything is going on with this thread. If you still have further concern on this, please feel free to let us know.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

Your sending infrastructure would need to apply the DKIM headers and hashes and they would simply have a CNAME that points to you in their DNS.
If you cant do that, you may want to look at a 3rd party solution and have them apply DKIM to the messages.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DorianEley-7672 avatar image
0 Votes"
DorianEley-7672 answered

Yes, I just can't find if there is a way to do this, pretty much searching for information and hoping someone out there has done it or knows more than me (not hard).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered

Third party mailing vendors can definitely do this for you.
If you are sending from your Exchange Server then you would need to route through 365 or a third party mailer.
There are few solutions for Exchange itself

https://dmarcian.com/dkim-dmarc-microsoft-exchange/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DorianEley-7672 avatar image
0 Votes"
DorianEley-7672 answered

So the first part of the issue is that we need to use O365 to manage the email due to the site and other things related being hosted via azure, otherwise i'd just use our postfix server and open dkim. So Third party options weren't really what we wanted.

The second part of the issue is that we need to send mail as xxx@externalcomain.com which doesn't belong to us and is already hosted in azure by it's owner.

The last issue is adding Dkim so we can authenticate.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

That wont work sending from 365 as you can imagine. You wont be able to send as another domain that isnt your verified and accepted domain.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DorianEley-7672 avatar image
0 Votes"
DorianEley-7672 answered AndyDavid commented

We can verify it, but azure won't accept it. I've ended up going back to the business and saying it's not possible, We have far simpler solutions available and this is just causing more problems than it's worth.

I get the feeling Azure won't allow it so Azure can't be claimed to be spoofing other peoples email regardless of if you can verify it. Trying to find a way to achieve this resulted in me going down hacker holes describing how to spoof services and most of it again, needs a service other than azure. Sometimes it's not worth resolving a technical problem when there are other ways to skin the cat.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Exactly! :)

1 Vote 1 ·
DorianEley-7672 avatar image
0 Votes"
DorianEley-7672 answered AndyDavid commented

I have had a Response from microsoft with the following details.. So far it brings more questions than anything but posting it just in case others find this post.

Good day, hope you are doing well.

After discussing internally, I would like to recommend using the relay email method- How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Docs https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365

You can also refer the below table referred from the above articles on feature based capabilities
Here's a comparison of each configuration option and the features they support.

Features SMTP client submission Direct send SMTP relay
Send to recipients in your domain(s) Yes Yes Yes
Relay to internet via Microsoft 365 or Office 365 Yes No. Direct delivery only. Yes
Bypasses antispam Yes, if the mail is destined for one of your Microsoft 365 or Office 365 mailboxes. No. Suspicious emails might be filtered. We recommend a custom Sender Policy Framework (SPF) record. No. Suspicious emails might be filtered. We recommend a custom SPF record.
Supports mail sent from applications hosted by a third party Yes Yes. We recommend updating your SPF record to allow the third party to send as your domain. No
Saves to Sent Items folder Yes No No
Requirements
Open network port Port 587 or port 25 Port 25 Port 25
Device or application server must support TLS Required Optional Optional
Requires authentication Microsoft 365 or Office 365 username and password required None One or more static IP addresses. Your printer or the server running your LOB app must have a static IP address to use for authentication with Microsoft 365 or Office 365.

Kindly let me know if you need any further clarification, I will be glad to help.

I have actually forwarded this onto the dev team as it's their application, i figure they could use this better than i could but I'm still wrapping my brain around it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yea the problem there is that now you have to account for that auth ( name and password) and also ensure it uses modern authentication at some point as basic auth is going away.

0 Votes 0 ·