We'd love to hear about it! Click here to go to the product suggestion community
Couple of things.
I faced a serious problem by a client who are sending email to microsoft domains (live.com, outlook.com, hotmail.com, ...)SEA mail logs show a SMTP 250 exit code, but the email has never been delivered to the mailbox.
It is the first time I deployed DKIM with multiple MTA. In this specific case, messages are sent by Office 365 and by an internal Sophos Email Appliance (SEA).SEA has eight trusted domain, some of them shared with Office 365, and use MX record resolution to deliver outgoing messages.
Based on my knowledge of DKIM I would like to describe how I'm going to implement DKIM in this scenario.
Outgoing messages from Office 365Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O3651. Publish two CNAME records on the DNS zone of the SMTP Domain2. Enable DKIM for each domain in Office 365 portalRef. social.technet.microsoft.com/.../36796.enabling-dkim-in-office-365-for-custom-domains.aspxAt the end of thin procedure we have two cName
selector1._domainkey.domain.it IN CNAME selector1-dominio-it._domainkey.dominio-it.onmicrosoft.comselector2._domainkey.domain.it IN CNAME selector2-dominio-it._domainkey.dominio.it.onmicrosoft.com
Outgoing messages from SEA Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O3651. Generate DKIM key using openSSL (Better than using internet tools)2. Create a key selector (with a different name ex: sea-selector) in System:Certificate section of SEA3. Add a DKIM signature outbound thread protection policy4. Add a TXT record to public DNS like:sea-selector._domainkey.domain.it
After having activated the thread protection policy, EVERY outgoing messages contain the DKIM-Signature header.
So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)
mxa-selector._domainkey.domain2.it IN CNAME mxa-selector._domainkey.domain.it
Any comments to this post will be highly appreciated.If you find the post interesting, feel free to use it.
In short, the very last item in your mail chain is the only item that should stamp dkim.. assuming its the sea.. make sure the records are uploaded to the sea and hosted as you have posted.. then make sure you create an outbound dkim rule and make sure its the last rule to trigger.
if that does not resolve the issue, you may wish to send samples of your outbound mail to firstname.lastname@example.org and open a case to ensure they are stamped correctly.
in other notes, make sure you do not have rules that are going after the singing that modify headers, add banners or touch the email.
as for the overall issues... In this case the forums is not a good medium for troubleshooting.. I highly recommend you contact support and open a case to go over the issues, this will ensure your not posting log information and or modifying logs etc.
In reply to Red_Warrior:
Hello Red Warrior,
thank you for you reply.
I confirm that all the configuration I did as detailed in my post are working fine. DKIM Pass for every outbound emails in transit from Sophos Email Appliance, for all the mail domain configured. (My fail: I wrote trusted domain, but I meant mail domain. The authoritative domain accepted by SEA)
Secondary, my intention was mainly to share my experience on dkim, thats why I post a discussione and not a questio. I do not want to ask for trobleshhoting. Anyway this is a log o a successfully delivered email to @Hotmail.com. The email has never arrived to the mailbox, neither in inbox, nor in junk mail.
Thank you for your time and I hope the thread will be useful to others.
In reply to EnricoGiac:
Thank you, it helps me a lot (I have the same infrastructure)
In reply to Julien Chaillot:
It's a pleasure to know it. Thank you.
I have a couple a questions about the second part of your post "Outgoing messages from SEA" :
- For the other domains (non shared with Office365), you have created a CNAME that points the TXT record "sea-selector._domainkey.domain.it"So your CNAME should not be like this : sea-selector._domainkey.domain2.it IN CNAME sea-selector._domainkey.domain.itinstead of this : mxa-selector._domainkey.domain2.it IN CNAME mxa-selector._domainkey.domain.it?
- You said "So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)".All emails (and domains) coming out of SEA are signed with the Key selector "sea-selector", so I think you need to create CNAME for all domains (shared or not with Office 365).
Thank you for your help :)