DKIM with non-M365 vendors

[HCHTech]

All but one of my clients where I'm involved with the email is on Microsoft365. When you setup DKIM, you end up with 3 DNS records, one TXT record that contains the public key, and 2 CNAME records that contain the two "selector" records for key rotation (or at least that's how I understand it) that have URLs like something like "Selector1-clientdomain-com". Those URLs are controlled by the provider. So that's how it works, it's pretty easy to setup and test, and on to the next problem.

One client, though came to me using Intermedia's hosted exchange. I don't really know what the back end of this product looks like, but they have their own web-based admin portal. I went through the process today of getting DKIM setup and working for their email.

Once I got the DKIM enabled and the initial record with the public key generated and living happily on DNS, I went looking for their instructions for the selector records, but found none. One incredibly long and frustrating web chat with their support later, it appears they don't use selector records, so I guess that means they don't use key rotation. If that's the case, then this is the reason I was looking for to get them moved over to M365 like the rest of my clients. I was willing to leave well-enough alone as long as it worked, but now I don't think I'm willing anymore. It seems to be working, as it passes the checker at dmarcanalyzer.com, the one I typically use for this.

So, I'm posting here to see if anyone else has experience with Intermedia's offering, and if I'm understanding these symptoms correctly.

 

[Markverhyden]

No experience with Intermedia. But, based on my experience, M365 Exchange is the same everywhere. Obviously some, like Godaddy, do some weird stuff. Like limit your access to Exchange PS. But I'd expect selector records to all be similar in construct because you'll be operating within the MS DNS ecosystem. Can you launch an Exchange PS connection for their domain?

Just in case you haven't seen this link.

How to use DKIM for email in your custom domain - Microsoft Defender for Office 365

Learn how Microsoft 365 uses DomainKeys Identified Mail (DKIM) to sign outbound mail, and how to configure DKIM signing of outbound mail using custom domains.

docs.microsoft.com

 

[Sky-Knight]

The mail server generates a key, and that key goes in the record. All M365 does differently is make you CNAME it to a record the back end can automatically update.

This is how DKIM works for all mail servers, Exchange is just one of many.

 

[HCHTech]

All M365 does differently is make you CNAME it to a record the back end can automatically update.

Isn't this the bit that makes key rotation work? That's what I always thought, and why you have 2 CNAMES - selector1.domain.com & selector2.domain.com. I admit I don't know exactly how this works in practice, I just know the records you need to set it up correctly.

The 2nd level tech I suffered through @ Intermedia said "We don't do key rotation", so maybe that's the key. Their KB article doesn't mention it, either. Just for fun, here is the summary they sent of the ticket:

======
Summary of Issue: DKIM related issue

Steps Taken:

• You set up DKIM for your client with a protection standard license and key generated with a DNS record. You only have one selector record for this client - you said that with other vendors and other clients setting up DKIM, there are 2 selector records.
• You also mentioned that you had generated the key for the user.
• You also mentioned you wanted to generate a selector 2 records.
• We clarified with you that we only have 1 record, we don't do key rotation.

Status: Closed.
=====

So I wonder, is M365 the only way to get DKIM key rotation?

 

[YeOldeStonecat]

Yeah Microsoft sorta makes it easy, since they automatically create the 2x DKIM records when you create the tenant..the original <clientsdomain>.onmicrosoft.com..

Thus..since the records are already there, when you tag on your clients proper domain, you just need 2x CNAMEs....that point to the original <clientsdomain>.onmicrosoft.com records that Microsoft already made for you.

 

[Sky-Knight]

Isn't this the bit that makes key rotation work? That's what I always thought, and why you have 2 CNAMES - selector1.domain.com & selector2.domain.com. I admit I don't know exactly how this works in practice, I just know the records you need to set it up correctly.

The 2nd level tech I suffered through @ Intermedia said "We don't do key rotation", so maybe that's the key. Their KB article doesn't mention it, either. Just for fun, here is the summary they sent of the ticket:

======
Summary of Issue: DKIM related issue

Steps Taken:

• You set up DKIM for your client with a protection standard license and key generated with a DNS record. You only have one selector record for this client - you said that with other vendors and other clients setting up DKIM, there are 2 selector records.
• You also mentioned that you had generated the key for the user.
• You also mentioned you wanted to generate a selector 2 records.
• We clarified with you that we only have 1 record, we don't do key rotation.

Status: Closed.
=====

So I wonder, is M365 the only way to get DKIM key rotation?

M365 isn't the only way to get automatic key rotation, but if you don't have it you're stuck using a DNS API to make those record changes programmatically. I know of no other mail services that just do it for you.

Given this: https://prodmarc.com/knowledge/setting-up-dkim-for-on-prem-exchange-server/

It doesn't appear that onpremise Exchange supports DKIM key rotation. You shouldn't be changing those keys all the time, only when there's evidence of compromise. The public records are public keys after all, and the private keys are embedded in the certificate store on the machine hosting Exchange. Someone would need admin access to get at them, at which point you've lost the server entirely. So why do you want rotation?

 

[HCHTech]

That makes sense - thanks!