Support for validation of DKIM signed messages

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Exchange Online Protection (EOP) and Exchange Online both support inbound validation of Domain Keys Identified Mail (DKIM) messages.

DKIM validates that an email message wasn't spoofed by someone else, and was sent from the domain it says it came from. It ties an email message to the organization that sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft 365 also supports DKIM when mail is sent over IPv4. (For more information about IPv6 support, see Support for anonymous inbound email messages over IPv6.)

DKIM validates a digitally signed message that appears in the DKIM-Signature header of the message headers. The results of a DKIM-Signature validation are stamped in the Authentication-Results header. The message header text appears similar to the following (where contoso.com is the sender):

Authentication-Results: <contoso.com>; dkim=pass (signature was verified) header.d=example.com;

Note

For more information about the Authentication-Results header, see RFC 7001 (Message Header Field for Indicating Message Authentication Status. Microsoft's DKIM implementation conforms with this RFC.

Admins can create Exchange mail flow rules (also known as transport rules) on the results of DKIM validation. These mail flow rules will allow admins to filter or route messages as needed.