How to enable DKIM for Journaling?

nt 21 Reputation points
2023-01-05T19:52:41.827+00:00

Hi,
I have configured journaling in my Exchange Online account and I was able to validate the connector and receive journal reports to a postfix server. I'm thinking about authenticating this journal traffic with DKIM on the receiving side.
I noticed that O365 "Test email for connector validation" mail received by postfix included DKIM-Signature header with default signing domain (onmicrosoft.com), however the journal reports I received by sending emails between two users didn't include DKIM-Signature. I tried enabling/disabling DKIM for the default domain but it seems like journaled mails are not being signed.
What am I missing here? Is this supported by Exchange online?
Thanks!

Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,342 questions
Accepted answer
  1. Yuki Sun-MSFT 40,931 Reputation points
    2023-01-06T06:35:43.467+00:00

    Hi @nt ,

    however the journal reports I received by sending emails between two users didn't include DKIM-Signature.

    I tested from my side and also noticed that the journal reports mails don't include DKIM signature:
    276630-1.png
    Considering that there's no other more DKIM related settings available in Exchange online, I assume it's just a by-design behavior that DKIM signatures are omitted under this kind of condition.

    By the way, although journaling content outside Microsoft 365 is still supported, it's highly recommended to use Microsoft 365 retention and other Microsoft Purview compliance solutions that keep the data within your tenant. More details, see Considerations for journaling.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Brian Reid (Microsoft 365 MVP) 6 Reputation points MVP
    2023-01-06T22:14:14.777+00:00

    Journal reports are system generated messages, and so as such avoid lots and lots of the processes the Exchange Online apply to non-system messages (ie standard email messages). For example mail flow rules and inbox rules do not apply to journal reports. So I am not surprised that DKIM would not be applied to this message type either.

    1 person found this answer helpful.
    0 comments
  2. nt 21 Reputation points
    2023-01-17T13:47:02.0866667+00:00

    Thanks Yuki/Brian, I have accepted one of the answer but both your input is valuable.

    Would this feature be possible in future? it seems journaled email flow could be spoofed easily without some protection.