DKIM signing on inbound and outbound messages

DKIMClosed DomainKeys Identified Mail is an email authentication protocol that prevents spammers and other malicious parties from impersonating a legitimate domain. It ensures that an email has not been altered in transit.

Messages with DKIM signature should not be modified, but this can prevent Secure Email Gateway from applying modifications, such as sanitization, redaction and adding a disclaimer, to the messages. You can configure how DKIM signing is managed for both inbound and outbound emails to allow the Gateway to make these modifications to messages, and to prevent downstream DKIM failures.

Behavior for preserving DKIM signature is different between inbound and outbound messages, so it is important that you configure this correctly, depending on the direction of email traffic.

 

For inbound messages

What you can configure in the Gateway Note
Remove the original DKIM signature

  • This is the default setting.
Preserve the original DKIM signature

  • Preserving DKIM signatures can be enabled or disabled on a per-hosted domain basis, to allow you with a mixture of M365 and non-M365 hosted domains.

  • If preserving DKIM signatures is enabled for inbound messages, then the messages can still be modified by the Gateway, and it is up to the downstream mailbox or gateway to handle this situation appropriately.

For outbound messages

What you can configure in the Gateway Note
Remove the original DKIM signature

  • This is the default setting.
Remove the original DKIM Signature and then sign with a new DKIM Signature  
Preserve the original DKIM signature

  • Preserving DKIM signatures can only be enabled or disabled globally, so it affects all outbound messages.

  • If preserving DKIM signatures is enabled for outbound messages, then the messages will not be modified by the Gateway.

See also...