If you are using Microsoft 365 Defender Security Features like AntiPhishing, AntiSpam ATP SafeAttachments, etc. the most reliable way to ensure email delivery is to use the „Advanced Delivery“ feature in Microsoft 365 Defender.
If you are using additional email filter systems, make sure they are not interfering with the DKIM signature check. You can check whether the DKIM signature is valid by looking at the „Authentication-Results“ header, which must contain a „dkim=pass“ entry.
Setting up Advanced Delivery
- Go to Microsoft 365 Defender > Policies & rules > Threat policies > Advanced delivery and open the „Phishing Simulation“ Tab.
- Click on „Edit“ to add a new domain and sending IP.
- Add „whitelisting.it-seal.de“ to the list of sending domains.
- Add „84.16.227.187“ to the list of sending IPs.
- Click „Save“ to apply the changes.
- Make sure you have successfully added one domain and one sending IP.
Background Information
DKIM-Signature not aligned
We use hundreds of dynamically generated sender domains during the phishing simulation, but Microsoft only allows up to whitelist 20 different base domains. Advanced delivery whitelisting works around this limitation by not checking the sender domain but the domain of the DKIM signature instead. Typically this domain is the same as the sender domain (DKIM-Signature alignment), to verify the sender. We deliberately mismatch the sender and DKIM domain to allow for this kind of whitelisting. This means that some tools might report on a DKIM-Signature that is not in alignment with the sender domain. This is intentional and does not affect the security or capacity of the whitelisting.
ATP SafeLink Whitelisting
If you are using ATP SafeLink, you need to additionally configure a list of „Simulation URLs to allow“ to prevent links from being blocked by Microsoft. Please contact IT-Seal for the list of domains for your project.