Skip to main content
Skip to main content
Microsoft 365

Enhanced email protection with DKIM and DMARC in Office 365

Spoofing is a common challenge that enterprises face in today’s world, which can lead to increased spam and more intensified phishing campaigns. In order to reduce spoofing and provide a safer client experience, Office 365 now supports inbound validation of DomainKeys Identified Mail (DKIM) over IPv4, and Domain-based Messaging and Reporting Compliance (DMARC). Both of these technologies check for trusted authenticated senders and help identify untrusted ones that that fail authentication. Exchange Online Protection (EOP), which filters every single mailbox on Office 365, had previously supported Inbound DKIM for IPV6. With these added functionalities feature, Office 365 users can expect better brand protection and an even safer experience.

Let’s take a closer look at these new service features.

Domain-based Messaging and Reporting Compliance (DMARC)

DMARC is a technology designed to combat email spoofing and is useful to stop phishing. Specifically, it protects the case where a phisher has spoofed the 5322.From email address, which is the email address displayed in mail clients like Outlook and Whereas the Sender Policy Framework, (SPF) catches the case where the phisher spoofs the 5321.MailFrom, which is where bounce messages are directed, DMARC catches the case that is more deceptive.

DKIM and DMARC in Office 365 1A phishing message spoofing a financial institution but failing DMARC.

 DMARC protects users by evaluating both SPF and DKIM and then determines if either  domains matches the domain in the 5322.From address. In the example above, the phisher has passed SPF for, but because does not equal, it fails DMARC.

The results of a DMARC check are stamped in the Authentication-Results header:

Authentication-results:; spf=pass 
 (sender IP is xx.xx.xx.xx)
 dkim=none (message not signed) header.d=none; dmarc=fail 

Office 365 then uses DMARC to mark the message as spam and provide better protection for its users. For more details, please see the blog post, Using DMARC in Office 365.

DomainKeys Identified Mail (DKIM)

DKIM permits the person, role or organization, who owns the signing domain, to claim some responsibility for a message by associating the domain with the message. Senders insert a digital signature into the message in the DKIM-Signature header, which receivers then verify. DKIM allows senders to build domain reputation, which is important to ensure email delivery and provides senders a non-spoofable way to identify themselves. It is a critical component of email protection. Office 365 previously supported DKIM when a message was sent over IPv6 and now supports it when it is sent over IPv4.

The results of a DKIM verification are written to the Authentication-Results header. For example, if the signing domain in the d= field in the DKIM-Signature header is

Authentication-Results: spf=pass (sender IP is;; dkim=pass (signature was verified);

If a message fails DKIM verification, the header will say dkim=fail with the reason for the failure in parentheses, for example invalid body hash, key query timeout, no key for signature, and so forth.

Office 365 verifies DKIM signatures when receiving the message. However, after the message has been scanned, (lands in a user inbox, or is relayed to an on-premises mail server, is bcc’ed via a policy rule and so forth), the existing DKIM-Signature may no longer verify if a downstream mail server tries to re-verify it. This is because Office 365 modifies some parts of the message. We will be changing this behaviors in a subsequent release of Exchange Online Protection.

For more information  on DKIM, please see RFC 6376 and
DKIM and DMARC in Office 365 2
A message with a digital signature attached.

These two features are currently being rolled about and will be fully deployed by the end of the first quarter of 2015.These features help improve the Office 365 experience by helping reduce both phishing and spam in the service and we look forward to more secure experiences as we continue to add new capabilities to Exchange Online Protection (EOP).

—Terry Zink is a program manager and Shobhit Sahay is a technical product manager on the Office 365 team.

You may also like these articles

Image for: Small business professional working on designs using devices running PowerPoint and Microsoft Teams.

Power your digital transformation with insights from Microsoft Productivity Score

Editor’s Note: The Mechanics video embedded in this blog post has been updated to reflect some of the product changes announced on December 1, 2020. For some time now, business leaders have made digital transformation a priority. But when the pandemic hit this spring, adopting and embracing digital technology went from being a matter of…

Image for: A man is using his Lenovo laptop like a tablet while sitting in a comfortable chair in a Modern office setting

Microsoft Productivity Score and personalized experiences—here’s what’s new to Microsoft 365 in October

As I reflect on an action-packed few weeks, I’m struck by how much work has evolved in these past months. And I know our customers feel it too. After quickly moving to remote and hybrid work models this spring, organizations are now seeking sustainable ways to help people collaborate, be productive, and prioritize their wellbeing…

Image for: Microsoft employees working remotely.

Working remotely during challenging times

A Shanghai-based Microsoft employee shares lessons of working remotely during the COVID-19 outbreak.