One of our domain administrators got an email from Microsoft, "Ensure your email authentication records are set up to avoid mail flow issues to third-party email accounts." Apparently, DKIM was not set up properly.
The page at
Email authentication settings - Microsoft Defender
says,
|Microsoft.Exchange.Management.Tasks.ValidationException|CNAME record does not exist for this config. Please publish the following two CNAME records first.
Domain Name : ourdomain.org
Host Name : selector1._domainkey
Points to address or value: selector1-ourdomain-org._domainkey.ourdomain.onmicrosoft.com
(This is tested and working fine with dig.)
Host Name : selector2._domainkey
Points to address or value: selector2-ourdomain-org._domainkey.ourdomain.onmicrosoft.com
(This record returns SOA. I thought there was something wrong with onmicrosoft.com DNS settings. But probably this record is used only when the key needs to be rotated.)
I set the DKIM CNAME records as per the email.
The page
Email authentication settings - Microsoft Defender
says sync will take a few minutes to several days.
After 90 minutes or so, I checked and found DKIM successfully enabled at that page. The page said that it would take several minutes to roll out the changes, so that DKIM signing would commence after a few minutes/hours.
This page
Set up SPF identify valid email sources for your Microsoft 365 domain | Microsoft Learn
says that SPF is already set. And I verified that it is set properly using dig. So that should solve this issue.
No comments:
Post a Comment