Skip to content

Email authentication settings

Email authentication allows you to make sure the emails your users are sending are properly authenticated so receivers of that email can validate the message hasn't been spoofed.

Trusted ARC sealers

Use trusted ARC sealers in scenarios where you have a third party service routing and modifying your mail and you need to preserve the authentication of the message. This is similar to enhanced filtering and you can use both in conjunction if your scenario calls for it.

Microsoft has a great article talking mail routing, enhanced filtering, and ARC sealers here and here.

DomainKeys Identified Mail (DKIM)

DKIM is an important element allowing receivers of your domain's emails to know if they are messages legitimately sent from your organization. It is recommended to enable DKIM, and it is possible to set this up outside of Microsoft if needed.

Tip

As of 2024, DKIM and SPF are required when sending to popular domains such as Gmail and Yahoo. Both also require a DMARC policy if you send bulk mail. p=none is enough to satisfy that requirement.

Gmail only has these requirements for personal accounts, not Google Workspace accounts.

Enabling this is very straight forward, click on your domain and switch the toggle to enabled, Microsoft will prompt you with the record you need to add to your DNS record.

Once enabled you will have two selectors but only one is active at a given time. You can check your selector on MXToolbox, it will likely be yourdomain.com:selector1 but may also be yourdomain.com:selector2.

Your selector will have a key associated with it and can be a 1024 or 2048 bit key, if you already had DKIM enabled you may need to upgrade your key to 2048 bit length. This cannot be done via the GUI but can be done via PowerShell, instructions are located here. You will need to run the command twice, once now and another 4 days later which is when the key should have rotated to the other selector.

Tip

DKIM on subdomains should look similar to this for Microsoft:

  • selector1._domainkey.SUBDOMAIN
  • selector1-SUBDOMAIN-PARENTDOMAIN-TOPLEVELDOMAIN._domainkey.TENANTROOT.onmicrosoft.com

Example if your subdomain was sales.contoso.com in its tenant:

  • selector1._domainkey.sales
  • selector1-sales-contoso-com._domainkey.contososales.onmicrosoft.com

Questions about email authentication?

I have created a page covering the items I see people get confused on with email authentication here. It is fairly basic, but there are a ton of resources out there covering SPF, DKIM, and DMARC.