Is Domain Keys Identified Mail (DKIM) signature validation supported by Exchange?

Domain Keys Identified Mail (DKIM) is not supported by Exchange Server, for either incoming or outgoing mail.

There are third-party solutions available to sign outgoing mail with DKIM.

We are currently testing a DKIM validation for a future version of QSS Exchange Anti-Spam Toolkit. If you are specifically interested in a DKIM validation solution, send us a note using the Contact form.

We have found, however, that DKIM is not as effective as other filtering techniques, and it is not implemented by a lot of senders. Where it is implemented, is more inconsistent than SPF records. As a result, it is not very useful as a primary filtering mechanism, that is, where mail could be rejected purely on the basis of a DKIM validation failure.

The value in DKIM filtering may improve as it is implemented more widely. It could be used as a stamping and scoring tool where it increases the Spam Confidence Level (SCL) of a message and action is taken when a DKIM failure is combined with other characteristics, or messages are at least moved to junk.

There are unfortunately some technical challenges in implementing a DKIM filter in Exchange, due to the design of Exchange. DKIM requires the original, unmodified headers to be available for signature validation. Exchange sometimes modifies message headers before the first transport agent is executed, which can cause signature validation to fail (a false positive).

In short, the volume of spam which currently fails DKIM validation is quite low, and the rate of false positives is quite high.