Allow DKIM Setup with TXT DNS Records (see RFC-6376, RFC-4871)
Currently it is only possible to Setup DKIM with CNAME records, but many ISPs around the globe don't support CNAME records with the "_" character in it. This might be wrong by RFC and is an issue.
Nevertheless it is also wrong to bind setting up DKIM with only CNAME records.
The mentioned RFCs suggest the usage of TXT records and so should Exchange Online also allow to use TXT records.
Alan McFarlane commented
We’ve got our hosting at one of the stupid ISPs that block _ in CNAMEs. We’ve just moved our DNS to Cloudflare’s free service and that works great. You also get all the other lovely features they provide.
If Microsoft were to support direct TXT values then that would break the useful auto key rotation that the CNAME indirection provides.
However, if I remember correctly my ISP blocks only _ in the *value* of the CNAME. Thus Microsoft could provide the TXT record with its name not including any _. Since this record is not public facing it doesn’t need the _ in and that would workaround the broken CNAME handling. As I remember AWS provide the TXT with and without _
Agree, the LDH Rules is widely enforced by DNS providers and breaching it severely limits customer choice of DNS providers.
Also use of default tenant domain in CNAME means it will be visible in DNS of ALL the domains - that is crazy. Should be numbers/code allocated for each domain to be used in CNAME
Douglas Plumley commented
Why couldn't you just take the value of the TXT record the CNAME points to and implement it as a TXT record you host? The challenge here is when keys are rotated you will have to manually update the TXT record.
The CNAME is convenient, several other SMTP services use the same method.
Mario P. commented
This is a MUST have so far it seems like enabling DKIM is only enabled in the Backend because of the CNAMEs as Exchange online loops saying that the CNAME already exists as if the option to enable DKIM is only by default enabled for the built-in domain .onmicrosoft.com:
Please comply with the RFCs and get our endusers up to speed enabling such a vital compliance required setup.