Overview

This article addresses a specific issue observed with Exchange Online's handling of DNS queries for DKIM (DomainKeys Identified Mail) verification, which can lead to email alignment failures and potential email delivery issues. The core of the problem lies in Exchange Online's internal timeout setting for DNS lookups, which, if exceeded, results in DKIM verification failures due to "record not found" errors.

Problem Description

It was discovered by some users on Reddit that Exchange Online uses an internal DNS lookup timeout of 500 milliseconds. If the DNS lookup for a DKIM TXT record takes longer than this threshold, Exchange Online treats this as a failure to find the record. This situation becomes problematic when emails are double-signed with both aligned and unaligned DKIM signatures, as Exchange Online might fail DKIM checks for emails that otherwise comply with DKIM standards due to this timeout issue.

Symptoms

• Emails that are double-signed with one aligned and one unaligned DKIM signature may fail DKIM checks when processed by Exchange Online.
• This failure occurs despite the IETF DKIM standard, which states that a message should pass DKIM verification if at least one signature is verified and aligned.

Investigation and Findings

An in-depth investigation, including the development of a PowerShell script to measure the DNS query response time for specific DNS records, revealed that TXT records at the sending domain (specified in the DKIM DNS setup) occasionally experienced query times exceeding 500 milliseconds.

DNS Setup for Testing

• A CNAME record hosted on the organization's authoritative nameservers.
• A TXT record hosted on the nameservers of the sending (mailfrom) domain.

Extensive testing and logging identified that delays in DNS query responses were at times responsible for the observed DKIM verification failures.

Recommendations

To mitigate the risk of DKIM verification failures due to DNS query timeouts in Exchange Online, consider the following recommendations:

1. Optimize DNS Performance: Ensure that your DNS setup, especially for DKIM TXT records, is optimized for fast responses. This may involve evaluating and possibly changing DNS providers or configurations to improve response times.
2. Monitor DNS Query Times: Utilize scripts or tools to monitor the response times of your DNS queries, particularly for DKIM-related records. This can help identify potential issues before they impact email delivery.
3. Engage with Microsoft Support: For organizations experiencing persistent issues, engaging with Microsoft Support may provide additional insights or solutions tailored to your specific environment.
4. Consider DNS Provider Features: Some DNS providers offer features specifically designed to improve the reliability and speed of DNS lookups. Evaluating these options can provide benefits beyond just email delivery.