DKIM sign all internal e-mails
On a tenant with DKIM configured and enabled, using a domain with a configured DMARC policy, Microsoft does not DKIM sign the message.
This might seem fine to Microsoft, the message originates and terminates within their system, and to Microsoft there's no reason to enable features that allow other systems to verify the authenticity of those e-mails.
This ignores third party e-mail filters that hook in to O365 to catch phishing attempts. Phishing of internal e-mail domains would be the most difficult to catch for average users.
Another scenario not involving third party tech solutions is this that DMARC alignment with forwarded e-mails from within a Tenant is not performed. The lack of signing internal e-mails means that if those e-mails are altered and forwarded outside of the organization DMARC alignment cannot be performed to catch unauthorized alteration of a person's correspondence.
Such correspondence altering could include banking details, or their views on a topic that would benefit a rogue actor to simulate.
That could be avoided if Microsoft just indiscriminately signed messages originating in O365 regardless of where they terminate. The e-mail correspondence would be much safer.
This should at the very least be an option to enable within the DKIM configuration.
we need this feature added to the account
Cornelius Roemer commented
Good point! I'd like this, too.