Office 365 - DKIM

  • Hello guys,
    please let me know if I'm the one with this problem.


    In order to enable DKIM for the domains hosted on Office 365, we should enable a couple of DNS records as described here: https://technet.microsoft.com/…t695945(v=exchg.150).aspx


    So to resume Microsoft says to create these 2 CNAMEs:

    Code
    1. Host name: selector1._domainkey.<domain>Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> TTL: 3600Host name: selector2._domainkey.<domain>Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> TTL: 3600

    it should be something:


    Code
    1. Host name: selector1._domainkey.domainexample.com.
    2. Points to address or value: selector1-domainexample-com._domainkey.domainexample.onmicrosoft.com.
    3. TTL: 3600
    4. Host name: selector2._domainkey.domainexample.com.
    5. Points to address or value: selector2-domainexample-com._domainkey.domainexample.onmicrosoft.com.
    6. TTL: 3600

    I have tried, but on the interface I receive the error: Could not validate DNS resource record: Invalid `Canonical name` field.
    There are some characters in the string 'selector1-domainexample-com._domainkey.domainexample.onmicrosoft.com.' that i-MSCP doesn't like, or just how the CNAME is formed.


    The problem can be easily reproduced by following what I wrote there. So just create a CNAME as Microsoft says.


    My System:
    Debian 8 x64, apache2, php-fpm, dovecot, proftpd.
    i-MSCP 1.3.8


    Please let me know if you need any further informations, or let me know where I'm doing something wrong.
    Thank you, bye Kess.

  • With my system, DKIM is setup automatically within i-MSCP, then you must go to your domain registrar, in my case godaddy, and setup DKIM there as well.


    Login to you domain registrar, setup a TXT record set HOST to "mail._domainkey" TXT VALUE to "v=DKIM1; k=rsa; s=email; p=your_key_given_by_imscp"


    Don't use the quotes I show above ...


    Hope this helps you ...

    “Life is all an Elaborate Hoax”

  • Hi Texas,
    thx for your reply.


    I don't use the registrar DNS system, I use i-MSCP for every DNS resource record. So in that case, I need to create these 2 CNAMEs into i-MSCP.


    The error I'm talking about on the first post, refers to the "_" character in the needed CNAME. Unfortunately i-MSCP custom DNS doesn't accept underscores in CNAMEs.
    Is that a bug that requires a fix ?

  • Of course yes, but I don't manage DNS resource records on the registrar's interface.
    On that interface I just registered the 2 DNS servers that are going to resolve the records for that domain.

  • From what I understand, if you are not a domain registrar yourself, you still have to use your domain registrar for certain things as well ... I could be wrong, but my DKIM didn't work until I added to my domain registrar as well ...


    It has been years since I did the research on self hosting, so I couldn't find exact references I used, but to be a "true" hoster, you should have multiple static IP's and you should have a backup, separate DNS server for redundancy. I use my machine at home as well as my domain registrar for the redundancy. It is a little bit more work, but it works well for me.


    Have a good one ...

    “Life is all an Elaborate Hoax”

    Edited once, last by texxasrulez ().

  • @kess


    This is already fixed in 1.3.x. See

    @texxasrulez


    You're wrong here ;) If you use your own DNS servers (case of @kess) you have not to do anything on the registrar side appart declaring your Nameservers. The issue here is about the possibility to put an underscore in names which are not used as hostnames. Usage of underscore in names is not well defined in RFCs but is supported. Many hosting providers and major control panels (such as plesk) don't support underscore in CNAME but there is many service providers that use it such as Microsoft office 365, Amazon SES ...


    See also

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I figured as much. Why I said I may be wrong. Back when I did use DNS solely on my machine, I was getting crazy hits (thousands per minute) for DNS requests, I decided to use outside source ....


    Thanks as always ...

    “Life is all an Elaborate Hoax”

  • @Nuxwin
    Thank you for your fast reply, and sorry, I didn't research in youtrack. My bad...


    @texxasrulez
    These servers are not located at home :-) These are virtual servers in a VMware Cloud environment, with granted ressources, granted bandwidth and of course static IP addresses. Backup is done trasparently through snapshots (automagically carried away in another place), my DNS infrastructure is as the rules say it should be. There are a lot of other things you have to own in order to host services... The hardest are related to security, the rest.........

  • @kess


    You can thank @theemstra which fighted a lot with me behind the scene (on our IRC channel) for allowing underscore in names. As most of developers, I was not really happy to allow something which is not clearly defined and allowed in RFCs ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206