On 5 Jun 2024, at 13:56, Cyril - ImprovMX via mailop <mailop@mailop.org> wrote: > @Graeme, I'd join @John on this; if Microsoft can validate a domain DNS, they > should make it mandatory to sign using the domain name and not some > unverifiable *.onmicrosoft.com. > Nowadays even more when you want to have domain alignment with DMARC.
Microsoft 365’s Exchange Online component - with which I have a sometimes-hate/sometimes-marginally-less-hate relationship through work - is an immensely flexible, configurable beast with a zillion different options. The primary issue for me isn’t the spam side of it, it’s the fact that any vaguely IT literate person can create a tenancy and then try to set it up following a zillion different “best” practice guides on the web. There’s only a single instance where adding a custom domain, doing the DNS validation, and then being forced automatically into using DKIM on that domain would work, and that’s where every single moving part of the email domain is within the tenancy. If any part of it is an externality such as an external filtering system, or an archiving system, or some form of governance system then it all falls apart very quickly. As we all know, SMTP ain’t actually simple at all. Sigh. Graeme PS I’m definitely on the hate side today, having discovered that to actually _use_ MS’s implementation of DKIM, I may well have to shell out a 6 figure GBP sum. If anyone can demonstrate to me that outbound DKIM signing in Exchange Online Protection is possible, and working, without any additional Defender for M365 licenses then the beers are on me. So far all my research points to it being a paid-for feature! _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop