DKIM not signed

Kingsley Chiakwa 61

Hello Guys,

Please tell me I am doing wrong, I created my DKIM keys for my domain and the CNAME and have propagated. My DKIM now appears to be enabled, however, when I send internal emails, DKIM in the headers still appears as none, while when I send to my gmail account it appears to be pass.

Any ideas what I can do to ensure the DKIM = pass for internal emails

Aholic Liang-MSFT 13,826 Reputation points Microsoft Vendor

2022-08-19T09:53:59.243+00:00

Hi,
Just checking in to see how things are going on with this thread.
If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.
If you still have further questions or concerns, feel free to post back.

Accepted answer

Andy David - MVP 145.6K Reputation points MVP

2022-08-12T12:46:25.83+00:00

DKIM is not used for internal messages. its only used so external recipients can verify that your domain sent the message.
internal messages are authenticated. If an internal message was spoofed, then you need to figure out who sent it as an authenticated user.
Please sign in to rate this answer.
Richard Bradley 0 Reputation points

2023-08-04T10:41:03.71+00:00

It would be more consistent if all messages were DKIM signed (including internal messages). After all, internal email flows through multiple servers for M365 users, and we have to trust that these have not been spoofed.

I agree that if an internal message was spoofed, then it is more likely that the sender's account has been compromised - though it is not beyond the realms of doubt that a future security weakness could facilitate injection of spoof emails.

From my perspective, it would be beneficial to have internal emails DKIM signed for consistency to simplify investigations.

More importantly, it would be beneficial to have internal emails DKIM signed because, right now, when someone uses the "Forwards as attachment" option in Outlook, without the digital signature, there is no way for the recipient of the attachment to validate that the fields which should be covered by DKIM have not been modified.

The following example is purely fictitious, but imagine the scenario of someone forwarding an unsigned (internal) message that was allegedly penned by a senior manager authorising the accounts department to make a payment. Even if the original message was authentic, a simple change to the location of the decimal point would be undetectable.

What do you think?

Richard.

Below is an example of the various servers a recent "internal" M365 message flowed through on its way to me. Whilst the message may have been internal within the tenant, it certainly didn't remain internal from a server perspective.

Received: from AS4PR08MB7502.eurprd08.prod.outlook.com (xxxxxxxx) by AS2PR08MB8694.eurprd08.prod.outlook.com with HTTPS; Wed, 26 Jul 2023 10:45:43 +0000 Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=xxxxxxxxxxxxxxx.xxx; Received: from AM0PR08MB3058.eurprd08.prod.outlook.com (xxxxxxxx) by AS4PR08MB7502.eurprd08.prod.outlook.com (xxxxxxxx) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id xxxxxx; Wed, 26 Jul 2023 10:45:42 +0000
Sign in to comment

2 additional answers

Andy David - MVP 145.6K Reputation points MVP

2022-08-12T11:28:09.547+00:00

DKIM is only applied to messages sent externally. Why would you need to DKIM for internal messages?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Kingsley Chiakwa 61 Reputation points

2022-08-12T12:33:17.283+00:00

Actually was because of an internal email that came that was a spoof and was not blocked.

Trying to ensure it is working going forward
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

DKIM not signed

2 additional answers