Summary
The consensus from experts, marketers, and documentation suggests that while DKIM configuration is a vital part of email authentication for Google Workspace and O365, it's not entirely sufficient on its own. For non-bulk mail, any DKIM might suffice, but alignment is preferable, while bulk mail necessitates alignment. Custom DKIM records specific to your domain are crucial for improved deliverability and proper authentication, overcoming limitations of default configurations. Integration with SPF and DMARC is essential for a robust defense against spoofing and phishing, with DMARC providing the policy framework for handling authentication failures. Proper DKIM setup involves generating keys, adding DNS records, and enabling signing, with Microsoft recommending two keys for redundancy. Failing to configure DKIM correctly can lead to emails being marked as spam.
Key findings
- DKIM Necessity: DKIM is a critical component of email authentication, verifying that the email was sent and authorized by the domain owner.
- Alignment Matters: For bulk mail, DKIM alignment is crucial; for non-bulk, it is a good idea. DMARC alignment is also important, and a default Microsoft setup may cause issues.
- Custom Records: Creating custom DKIM records specific to your domain is essential for improved deliverability in Google Workspace and O365.
- Combined Approach: DKIM is most effective when combined with SPF and DMARC for comprehensive protection against spoofing and phishing.
- Configuration Steps: Setting up DKIM involves generating keys, adding DNS records, and enabling signing.
- The importance of DMARC: DMARC is very important as this tells the recieving mail server what to do with messages that fail authentication checks.
Key considerations
- Google Workspace Configuration: Generate a DKIM record specifically for Google Workspace and add it to DNS, even if other DKIM records exist.
- O365 Configuration: Enable DKIM for O365 and ensure alignment with your domain, avoiding default Microsoft setups that may cause DMARC issues. Use PowerShell for key creation, and consider two keys for redundancy.
- SPF and DMARC Integration: Implement SPF and DMARC in addition to DKIM for a complete email authentication strategy.
- Failure Consequences: Failure to implement or incorrectly configure DKIM may result in emails being marked as spam.
- Holistic Security: Understand that DKIM alone is not sufficient to fully protect against spoofing and phishing; SPF and DMARC are needed.
- Bulk Email Considerations: Be particularly attentive to DKIM and SPF configuration when sending bulk email.
What email marketers say
6 marketer opinions
The responses indicate that while DKIM configuration is crucial for email authentication in both Google Workspace and O365, it may not be sufficient on its own. Proper DKIM setup, especially with custom records specific to your domain, improves deliverability and sender reputation. It's also essential to align DKIM with SPF and DMARC for comprehensive email security. Default configurations provided by Microsoft may not be sufficient and can cause DMARC alignment issues. Failing to implement or incorrectly configure DKIM might result in emails being marked as spam by some providers.
Key opinions
- DKIM Importance: DKIM is a critical component of email authentication that helps to prove the email was sent and authorized by the owner of the domain.
- Custom DKIM records: Creating custom DKIM records specific to your domain is essential for improving deliverability in Google Workspace and O365.
- DMARC alignment: It’s crucial to ensure DKIM aligns with your domain, particularly for O365, where default DKIM setups may cause issues with DMARC.
- SPF integration: DKIM and SPF are essential email authentication methods and should be used in conjunction.
- Deliverability Improvement: Properly configured DKIM improves email deliverability and sender reputation.
Key considerations
- Google Workspace Setup: Generate a DKIM record specifically for Google Workspace and add it to the DNS records.
- O365 Configuration: Enable DKIM for O365 and ensure it aligns with your domain; avoid using the default Microsoft domain for DKIM.
- Comprehensive Authentication: Integrate DKIM with SPF and DMARC for comprehensive email security and to tell the receiving mail server what to do with messages that fail authentication.
- Potential Spam Marking: Failure to implement or incorrectly configure DKIM may result in emails being marked as spam.
- High Deliverability: DKIM is very important for a high deliverability rate and is highly recommended for all customers and domains.
Marketer view
Email marketer from Mailjet shares that DKIM and SPF are two essential email authentication methods and the two should be used in conjunction. They add digital signatures to emails, which recipients can then verify, and prevent malicious actors from sending emails as someone else.
16 Mar 2022 - Mailjet
Marketer view
Email marketer from StackExchange answers that for O365, it’s crucial to enable DKIM and ensure it aligns with your domain. Microsoft’s default DKIM setup might use a Microsoft domain, which can cause issues with DMARC alignment. Custom DKIM configuration is highly recommended.
27 Sep 2022 - StackExchange
What the experts say
5 expert opinions
The provided answers suggest that while DKIM configuration is an important aspect of email authentication for Google Workspace and O365, it is not entirely sufficient on its own. For non-bulk mail, any DKIM might be enough, but alignment is recommended. When sending bulk mail, alignment becomes necessary. Real-world scenarios highlight uncertainties about the adequacy of generic Microsoft DKIM signatures. Experts recommend combining DKIM with SPF and DMARC for a robust email authentication strategy, with DMARC providing the policy layer that dictates how receiving mail servers should handle messages failing authentication checks.
Key opinions
- DKIM Sufficiency: DKIM alone might be sufficient for non-bulk email, but alignment is preferable.
- Bulk Mail: For bulk mail, DKIM alignment is crucial.
- Generic Signatures: The adequacy of generic Microsoft DKIM signatures in O365 for SMBs is uncertain.
- Authentication Pillars: DKIM is one of the essential pillars of modern email authentication, alongside SPF and DMARC.
- DMARC's Role: DMARC provides the policy layer for handling messages that fail DKIM and SPF checks.
Key considerations
- Alignment Importance: Ensure DKIM alignment, especially when sending bulk email.
- Signature Assessment: Assess the adequacy of generic DKIM signatures, especially in SMB environments using O365.
- Holistic Approach: Implement DKIM in conjunction with SPF and DMARC for comprehensive email authentication.
- Policy Implementation: Understand and implement DMARC policies to instruct receiving mail servers on handling authentication failures.
- Real-World Testing: Monitor and test DKIM, SPF and DMARC setups in the real world to ensure effectiveness.
Expert view
Expert from Word to the Wise explains that while DKIM is important, it's DMARC that tells the receiving mail server what to do with messages that fail authentication checks. It's a crucial policy layer on top of DKIM and SPF.
25 May 2023 - Word to the Wise
Expert view
Expert from Email Geeks explains that for non bulk mail any DKIM is sufficient, but alignment is a good idea.
4 May 2023 - Email Geeks
What the documentation says
4 technical articles
The provided documentation outlines the steps to configure DKIM for Google Workspace and O365, highlighting its role in verifying email authenticity through digital signatures. Google Workspace requires generating a DKIM key, adding it to DNS, and enabling DKIM signing. O365 involves PowerShell commands to create and publish DKIM keys, emphasizing the use of two keys for redundancy. While DKIM is essential, it is most effective when combined with SPF and DMARC to protect against spoofing and phishing attacks. DKIM alone establishes a domain-level authentication framework by associating a domain name with an email message.
Key findings
- DKIM Setup Steps: Setting up DKIM involves generating keys, adding DNS records, and enabling signing.
- Redundancy: Microsoft recommends using two DKIM keys for redundancy and rotation.
- Comprehensive Security: DKIM is most effective when used with SPF and DMARC for comprehensive protection.
- Authentication Framework: DKIM defines a domain-level authentication framework using digital signatures.
Key considerations
- Google Workspace Configuration: Follow the steps in the Google Workspace admin console to generate the DKIM key and enable signing.
- O365 PowerShell: Use PowerShell to create and publish DKIM keys in O365, and ensure two keys are configured.
- SPF and DMARC Integration: Plan to implement SPF and DMARC in addition to DKIM for a complete email authentication strategy.
- Protect Against Attacks: Understand that DKIM alone is not sufficient to fully protect against spoofing and phishing; SPF and DMARC are needed to complete this objective.
Technical article
Documentation from Microsoft Support details that to configure DKIM for O365, you need to use PowerShell to create DKIM signing keys, publish them to DNS, and then enable DKIM signing. It emphasizes the importance of using two DKIM keys for redundancy and rotation purposes.
3 Jun 2024 - Microsoft Support
Technical article
Documentation from RFC explains that DKIM defines a domain-level authentication framework for email using digital signatures. DKIM permits signing email senders to associate a domain name with an email message, thereby attesting to its authenticity.
25 Aug 2021 - RFC
Do SPF and DKIM records need to be aligned for all email service providers?
How can I ensure email compliance with Yahoo/Google rules including DMARC, SPF, and FcrDNS?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I troubleshoot and fix SPF and DMARC settings for email deliverability issues?
How do SPF, DKIM, and DMARC email authentication standards work?
What are SPF, DKIM, and DMARC, and when are they needed?
