This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DKIM deployment with SEA and Office 365

Dear all,
 
I faced a serious problem by a client who are sending email to microsoft domains (live.com, outlook.com, hotmail.com, ...)
SEA mail logs show a SMTP 250 exit code, but the email has never been delivered to the mailbox.
The client's IT engineer reported to me the mail policies of Microsoft state the mail must be authenticated using SPF and DKIM.
(https://postmaster.live.com/pm/policies.aspx - Point 4 - Italian language)
So he asked me to implement DKIM protocol.
 
It is the first time I deployed DKIM with multiple MTA. In this specific case, messages are sent by Office 365 and by an internal Sophos Email Appliance (SEA).
SEA has eight trusted domain, some of them shared with Office 365, and use MX record resolution to deliver outgoing messages.
 
Based on my knowledge of DKIM I would like to describe how I'm going to implement DKIM in this scenario.
 
Outgoing messages from Office 365
Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
1. Publish two CNAME records on the DNS zone of the SMTP Domain
2. Enable DKIM for each domain in Office 365 portal
Ref. social.technet.microsoft.com/.../36796.enabling-dkim-in-office-365-for-custom-domains.aspx
At the end of thin procedure we have two cName

selector1._domainkey.domain.it    IN CNAME selector1-dominio-it._domainkey.dominio-it.onmicrosoft.com
selector2._domainkey.domain.it    IN CNAME selector2-dominio-it._domainkey.dominio.it.onmicrosoft.com
 
Outgoing messages from SEA
Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
1. Generate DKIM key using openSSL (Better than using internet tools)
2. Create a key selector (with a different name ex: sea-selector) in System:Certificate section of SEA
3. Add a DKIM signature outbound thread protection policy
4. Add a TXT record to public DNS like:
sea-selector._domainkey.domain.it
After having activated the thread protection policy, EVERY outgoing messages contain the DKIM-Signature header.
So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)
 
mxa-selector._domainkey.domain2.it  IN CNAME   mxa-selector._domainkey.domain.it
 
Any comments to this post will be highly appreciated.
If you find the post interesting, feel free to use it.
Kind regards,
 
Enrico Giacomin


This thread was automatically locked due to age.
Parents
  • HI Enrico,

    Couple of things.

    EnricoGiac said:
    I faced a serious problem by a client who are sending email to microsoft domains (live.com, outlook.com, hotmail.com, ...)
    SEA mail logs show a SMTP 250 exit code, but the email has never been delivered to the mailbox.
     

     
    logs would be required for this, however if you go into the search tool and change the indicator to "mail logs"  If your mail logs look like this...
    2018-04-03 08:56:18
    test@testlocal
    test@dovecot.local
    external IP
    downstream IP:25
    subject
    2018-04-03 08:56:17
    test@test.local
    test@dovecot.local
    external IP
    downstream IP:25
    subject
     
    (aka) there is a down stream relay and the logs sat 250 delivered.. then your issue is downstream of the appliance
     
     
    if your logs look like this:
    2018-04-03 08:56:18
    test@testlocal
    test@dovecot.local
    external IP
    -
    -
     
    test@test.local
    test@dovecot.local
    external IP
    -
    -
     
     
     
    then its possible there is a policy or other issue going on where the appliance has not delivered the email downstream  .
     
     
     
     
    EnricoGiac said:
    It is the first time I deployed DKIM with multiple MTA. In this specific case, messages are sent by Office 365 and by an internal Sophos Email Appliance (SEA).
    SEA has eight trusted domain, some of them shared with Office 365, and use MX record resolution to deliver outgoing messages.
     
    trusted domains only tell the appliance so skip spam scoring on that ip/domain . Only an MTA that accepts mail should be listed.  Its not going to bypass rules or other mta checks like spf, dkim or rdns.
     
     
    EnricoGiac said:
    Based on my knowledge of DKIM I would like to describe how I'm going to implement DKIM in this scenario.
     
    Outgoing messages from Office 365
    Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
    1. Publish two CNAME records on the DNS zone of the SMTP Domain
    2. Enable DKIM for each domain in Office 365 portal
    Ref. social.technet.microsoft.com/.../36796.enabling-dkim-in-office-365-for-custom-domains.aspx
    At the end of thin procedure we have two cName

    selector1._domainkey.domain.it    IN CNAME selector1-dominio-it._domainkey.dominio-it.onmicrosoft.com
    selector2._domainkey.domain.it    IN CNAME selector2-dominio-it._domainkey.dominio.it.onmicrosoft.com
     
    Outgoing messages from SEA
    Sender SMTP domain "domain.it". It is one of the three SMTP domains shared between SEA and O365
    1. Generate DKIM key using openSSL (Better than using internet tools)
    2. Create a key selector (with a different name ex: sea-selector) in System:Certificate section of SEA
    3. Add a DKIM signature outbound thread protection policy
    4. Add a TXT record to public DNS like:
    sea-selector._domainkey.domain.it
    After having activated the thread protection policy, EVERY outgoing messages contain the DKIM-Signature header.
    So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)
     
    mxa-selector._domainkey.domain2.it  IN CNAME   mxa-selector._domainkey.domain.it
     
    Any comments to this post will be highly appreciated.
    If you find the post interesting, feel free to use it.
    Kind regards,

    In short, the very last item in your mail chain is the only item that should stamp dkim.. assuming its the sea.. make sure the records are uploaded to the sea and hosted as you have posted.. then make sure you create an outbound dkim rule and make  sure its the last rule to trigger.

    if that does not resolve the issue, you may wish to send samples of your outbound mail to not-spam@labs.sophos.com and open a case to ensure they are stamped correctly.  

    in other notes, make sure you do not have rules that are going after the singing that modify headers, add banners or touch the email.

     

    ***

    as for the overall issues... In this case the forums is not a good medium for troubleshooting.. I highly recommend you contact support and open a case to go over the issues, this will ensure your not posting log information and or modifying logs etc.

  • Hello Red Warrior,

    thank you for you reply.

    I confirm that all the configuration I did as detailed in my post are working fine. DKIM Pass for every outbound emails in transit from Sophos Email Appliance, for all the mail domain configured. (My fail: I wrote trusted domain, but I meant mail domain. The authoritative domain accepted by SEA)

    Secondary, my intention was mainly to share my experience on dkim, thats why I post a discussione and not a questio. I do not want to ask for trobleshhoting. Anyway this is a log o a successfully delivered email to @Hotmail.com. The email has never arrived to the mailbox, neither in inbox, nor in junk mail.

    Thank you for your time and I hope the thread will be useful to others.

    Enrico

    2018-04-10 12:31:32
    Administrator@maildomain.it
    egiacomin@hotmail.com
    10.15.4.12
    104.47.36.33:25
    test
    Message-ID: <41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc>
    Sender: Administrator@maildomain.it
    Recipient(s): egiacomin@hotmail.com
    Direction: Outbound
    Received: Connection from 10.15.4.12
    Queued: For scanning at 2018-04-10 12:31:32
    Scanned: With result: legitimate. Message will be delivered.
    Removed: From scanning queue at 2018-04-10 12:31:32
      
    Policy Rule: DKIM Signature
    Sender: Administrator@maildomain.it
    Recipient(s): egiacomin@hotmail.com
    Queued: For delivery at 2018-04-10 12:31:32
    Delivered: To 104.47.36.33 at 2018-04-10 12:31:33 with response '2.6.0 <41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc> [InternalId=2254857871509, Hostname=SN1NAM02HT131.eop-nam02.prod.protection.outlook.com] 8584 bytes in 0.111, 75.426 KB/sec Queued mail for delivery'
    Removed: From delivery queue at 2018-04-10 12:31:33
      View log details...
    Appliance: mxa.maildomain.it [10.15.5.222]

    2018-04-10 12:31:32 mxa postfix/smtpd[13703]: 3B8BE53123_ACC9284F: client=srvexc01.maildomain.loc[10.15.4.12]
    2018-04-10 12:31:32 mxa postfix/cleanup[13209]: 3B8BE53123_ACC9284F: message-id=<41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc>
    2018-04-10 12:31:32 mxa postfix/qmgr[5348]: 3B8BE53123_ACC9284F: from=<Administrator@maildomain.it>, size=1623, nrcpt=1 (queue active)
    2018-04-10 12:31:32 mxa postfix/smtp[9463]: 3B8BE53123_ACC9284F: to=<egiacomin@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.18, delays=0/0/0/0.18, dsn=2.0.0, status=sent (250 OK, sent 5ACC9284_20110_5507_1 516A255C38_ACC9284B)
    2018-04-10 12:31:32 mxa postfix/qmgr[5348]: 3B8BE53123_ACC9284F: removed
    2018-04-10 12:31:32 mxa postfix/backend/smtpd[13679]: 516A255C38_ACC9284B: client=localhost.localdomain[127.0.0.1]
    2018-04-10 12:31:32 mxa postfix/backend/cleanup[11309]: 516A255C38_ACC9284B: message-id=<41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc>
    2018-04-10 12:31:32 mxa postfix/backend/qmgr[5530]: 516A255C38_ACC9284B: from=<Administrator@maildomain.it>, size=2218, nrcpt=1 (queue active)
    2018-04-10 12:31:33 mxa postfix/backend/smtp[99080]: 516A255C38_ACC9284B: to=<egiacomin@hotmail.com>, relay=hotmail-com.olc.protection.outlook.com[104.47.36.33]:25, delay=1.2, delays=0.1/0/0.47/0.67, dsn=2.6.0, status=sent (250 2.6.0 <41C2662BABCAA64CBB14D8E55CB93E908671B30F@srvexc01.maildomain.loc> [InternalId=2254857871509, Hostname=SN1NAM02HT131.eop-nam02.prod.protection.outlook.com] 8584 bytes in 0.111, 75.426 KB/sec Queued mail for delivery)
    2018-04-10 12:31:33 mxa postfix/backend/qmgr[5530]: 516A255C38_ACC9284B: removed
    2018-04-10 12:31:32 mxa milter[20110]: 5ACC9284_20110_5507_1: Sandstorm header not found.
    2018-04-10 12:31:32 mxa milter[20110]: 5ACC9284_20110_5507_1: X-Sophos headers have been stripped.
  • Hi Enrico, 

    Thank you, it helps me a lot (I have the same infrastructure)

    Regards

    Julien

  • It's a pleasure to know it. Thank you.

    Enrico

  • Hi Enrico,

    I have a couple a questions about the second part of your post "Outgoing messages from SEA" :

    - For the other domains (non shared with Office365), you have created a CNAME that points the TXT record "sea-selector._domainkey.domain.it"
    So your CNAME should not be like this : sea-selector._domainkey.domain2.it IN CNAME sea-selector._domainkey.domain.it
    instead of this : mxa-selector._domainkey.domain2.it IN CNAME mxa-selector._domainkey.domain.it
    ?

    - You said "So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)".
    All emails (and domains) coming out of SEA are signed with the Key selector "sea-selector", so I think you need to create CNAME for all domains (shared or not with Office 365).

    Thank you for your help :)

    Julien

  • Julien Chaillot said:

    Hi Enrico,

    I have a couple a questions about the second part of your post "Outgoing messages from SEA" :

    - For the other domains (non shared with Office365), you have created a CNAME that points the TXT record "sea-selector._domainkey.domain.it"
    So your CNAME should not be like this : sea-selector._domainkey.domain2.it IN CNAME sea-selector._domainkey.domain.it
    instead of this : mxa-selector._domainkey.domain2.it IN CNAME mxa-selector._domainkey.domain.it
    ?

    TRUE: My fail in typing, probably I have changed the name "on the run". sea-selector in correct (The hostname of the sea of the customer where I implemented DKIM is MXA.<domain>

     

    - You said "So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)".
    All emails (and domains) coming out of SEA are signed with the Key selector "sea-selector", so I think you need to create CNAME for all domains (shared or not with Office 365).

    Not in my case: The outgoing email for a Office 365 accepted domain exit from Office 365 only. Outgoing emails of other trusted domain (On the Sophos Email Appliance) exit from email appliance only.

    But if domain1 outgoing messages flows either form Office 365 and SEA, than you need to create CNAME (or TXT) DNS records to declare all the selectors. And I suppose you have to pay attention you do not double signed outgoing messages with two different keys (messages flowing from SEA to Office 365 that to internet) I have not considered this situation.

    What might it happen?

     

    Sorry for the delay, I did not get the notification. I hope I correctly understand you quesiton.Thank you

    Enrico

Reply
  • Julien Chaillot said:

    Hi Enrico,

    I have a couple a questions about the second part of your post "Outgoing messages from SEA" :

    - For the other domains (non shared with Office365), you have created a CNAME that points the TXT record "sea-selector._domainkey.domain.it"
    So your CNAME should not be like this : sea-selector._domainkey.domain2.it IN CNAME sea-selector._domainkey.domain.it
    instead of this : mxa-selector._domainkey.domain2.it IN CNAME mxa-selector._domainkey.domain.it
    ?

    TRUE: My fail in typing, probably I have changed the name "on the run". sea-selector in correct (The hostname of the sea of the customer where I implemented DKIM is MXA.<domain>

     

    - You said "So I have to consider the other trusted domains (non shared with O365) and configure a CNAME for these domains (ex.: domain2.it)".
    All emails (and domains) coming out of SEA are signed with the Key selector "sea-selector", so I think you need to create CNAME for all domains (shared or not with Office 365).

    Not in my case: The outgoing email for a Office 365 accepted domain exit from Office 365 only. Outgoing emails of other trusted domain (On the Sophos Email Appliance) exit from email appliance only.

    But if domain1 outgoing messages flows either form Office 365 and SEA, than you need to create CNAME (or TXT) DNS records to declare all the selectors. And I suppose you have to pay attention you do not double signed outgoing messages with two different keys (messages flowing from SEA to Office 365 that to internet) I have not considered this situation.

    What might it happen?

     

    Sorry for the delay, I did not get the notification. I hope I correctly understand you quesiton.Thank you

    Enrico

Children
No Data