0

We've recently implemented DKIM for automated emails sent out from our website (SMTP on static IP). However we cannot implement DKIM for our hosted exchange email accounts (managed hosting sends from a range of IPs).

So in the DMARC reports I'm getting passes for emails sent from our website via SMTP but fails for emails sent via the individual exchange user accounts. SPF is also implemented and that passes for both.

As far as I can manage to find on the web this should not hurt our reputation but I'm keen to double check this as I'm not 100% certain our DMARC setting is Ok:

v=DMARC1; p=none; rua=mailto:webmaster@mydomain.co.uk; pct=100

Example DMARC result:

<record>
<row>
  <source_ip>IPADDRESS OMMITTED</source_ip>
  <count>1</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>fail</dkim>
    <spf>pass</spf>
  </policy_evaluated>
</row>
<identifiers>
  <header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
  <spf>
    <domain>mydomain.com</domain>
    <result>pass</result>
  </spf>
</auth_results>
</record>

Any input most appreciated, Thanks

AbsolutelyN
  • 1
  • 1

1 Answers1

0

However we cannot implement DKIM for our hosted exchange email accounts (managed hosting sends from a range of IPs).

Your DMARC record is just fine.

For DKIM, it doesn't matter what IP address the server is sending from. Defining what IP addresses have permission to send from your domain is the realm of SPF. DKIM was designed specifically to solve the problem that SPF cannot adequately describe all mail flows. Examples of places where SPF is insufficient are:

  1. Your example, where a provider sends from a range of IPs
  2. Emails that are relayed through a forwarder
  3. Messages that transit email lists

So DKIM adds a cryptographic header signing each message. From there, it doesn't matter what IP address(es) the message(s) arrive from. The DKIM validator used by the receiver is going to look up your DKIM public key in DNS and use it to validate that the signed message it's evaluating was truly signed by you (or an agent of yours with your DKIM key).

Exchange doesn't have built-in support for DKIM but there is a DKIM plugin available. You could ask your provider if they support it. If they do, you'll need to generate a DKIM key, share the private DKIM key with your provider, and publish the public key in your DNS. I have written a shell script which automates key generation.

If your provider doesn't/can't/won't support DKIM, they might let you relay your outbound messages through another server that you control. That server would accept messages from your hosted Exchange and then DKIM sign them on their way out to the internet.

Matt Simerson
  • 419
  • 3
  • 9