Dynamics 365 for Marketing: Set up DKIM for your sending domain to keep up with recent Office 365 changes

One of the most important performance metrics for email marketing is deliverability, which measures the ability of your messages to arrive in recipients’ inboxes rather than getting flagged as spam and filtered away, out of sight. Microsoft is dedicated to helping our Dynamics 365 for Marketing customers maximize deliverability, so we’d like to tell you about some of the latest developments in this area, and let you know what you can do about it.

Your legitimate marketing emails should never smell “phishy”

One of the most common online scams, also known as phishing, occurs when a fraudulent message pretends to come from a well-known online service or financial institution. The goal is to trick recipients into responding to the message by providing private details such as passwords or credit card numbers. If your legitimate marketing emails get flagged as phishing attempts, they will never reach their recipients.

How DKIM helps prevent phishing

A great way to prevent phishing from occurring is for email recipients to authenticate the sending address for each message to confirm it really was sent from a domain that belongs to the company or organization it claims to belong to. A technology called DKIM (DomainKeys Identified Mail) helps accomplish this by incorporating the following elements:

  • A public/private key signature that proves the message was sent from a server owned by a known organization.
  • A central register of authenticated signatures, which enables the DNS (Domain Name System) to confirm that each signature is legitimate and that the sending domain and claimed from-address both belong to the same organization.

Email providers are rolling out stronger DKIM checking

When you send email from Dynamics 365 for Marketing, your messages come from a domain owned by Microsoft (such as contoso.onmicrsoft.com), but the from-address will probably belong to one of your own marketing, sales, or account managers using a more well-known domain that belongs to your organization (such as you@contoso.com). This discrepancy can be a red flag when an inbound email server does a DKIM check on incoming messages, which is why a full implementation of DKIM is so important for ensuring high deliverability, especially when you are using a third-party sending service like Dynamics 365 for Marketing.

Microsoft Dynamics 365 for Marketing already uses DKIM to sign all outgoing messages as coming from a legitimate Microsoft domain. Until now this was enough, but Office 365 has recently upgraded their security to not only check that the DKIM signatures are legitimate, but also to confirm that the sending domain is authorized to send email on behalf of the same organization as the claimed email-from address. As stated in the Office documentation:

Microsoft’s anti-spoofing technology was initially deployed to its organizations that had an Office 365 Enterprise E5 subscription or had purchased the Office 365 Advanced Threat Protection (ATP) add-on for their subscription. As of October, 2018 we’ve extended the protection to organizations that have Exchange Online Protection (EOP) as well. Additionally, because of the way all of our filters learn from each other, Outlook.com users may also be affected.

We expect other major email providers, especially business providers, to follow suit soon.

That means that your deliverability rates could be about to plummet unless you link your from-address domain to your Dynamics 365 for Marketing domain in the DNS system. However, we can’t register our domains as being legitimate senders for your organization—only you can do that, which is part of the reason why this system helps to increase security both for you and for your message recipients.

What you should do now

All you need to do to fix this is to register your Dynamics 365 for Marketing sending domain with the DNS system as being a legitimate sender for your organization. Because Dynamics 365 for Marketing already includes its own DKIM signature in each message, receiving servers will then be able to confirm that both the sending address (your email address) and the sending server (your Dynamics 365 for Marketing server) both belong to authenticated domains that are approved to send email on behalf of your organization.

The process is easy and straightforward:

  1. Contact Microsoft Support and tell them you want to set up DKIM to link your email-from domain with Microsoft’s Dynamics 365 for Marketing sending domain in DNS, and provide them with the name of the domain that you use in your email-from addresses.
  2. Microsoft will create and send you the materials and detailed instructions needed to do the required registration in DNS.
  3. Contact your internet service provider, domain-name provider, or internal IT department, and use the instructions we sent you to complete the registration in DNS.
  4. Contact Microsoft Support again to tell them when you have finished the registration.
  5. Microsoft Support finalizes the configuration on our side and lets you know when you’re good to go.

What happens next

Microsoft will soon be contacting all customers who can benefit from linking their authenticated Dynamics 365 sending domain to their email-from domain through DKIM and DNS. Although many customers may already have DKIM set up for their own sending domains, this is an additional process—so even if you already have DKIM on your own servers, you may still hear from us!