Problem
Why is DKIM signing using your own domain name more important than using a onmicrosoft.com DKIM key?
Solution

DKIM (Domain Keys Identified Mail) is an email authentication method that allows the person receiving the email to check that it was actually sent by the domain it claims to be sent from, and that the content of the email hasn't been modified in transit.This helps to prevent email spoofing, a type of cyber attack where an attacker sends an email that appears to be from a legitimate source, but is actually a fake.
For Office365/Microsoft365 customers; when setting up DKIM, you can either use your own domain name, or you can use the <tenant_name>.onmicrosoft.com domain provided by Microsoft.
While both options provide some level of protection against email spoofing, using your own domain name is generally considered to be more important and has the following advantages:
- Builds trust with recipients: Using your own domain name for DKIM helps to build trust with your recipients. When an email is received and the DKIM signature is verified using your own domain name, it provides a stronger indication that the email is legitimate. This is because your own domain name is directly associated with you, whereas a domain provided by your 365 service provider is not.
- Protects brand reputation: Using your own domain name also helps to protect your brand reputation. If an attacker is able to spoof an email from your domain, it can damage your reputation and your relationship with your customers. By using your own domain name for DKIM, you can help to ensure that your brand reputation is protected by providing a way for recipients to verify the authenticity of the emails they receive from you.
- Better control over email security: When you use your own domain name for DKIM, you can manage the keys and settings for the domain yourself, which gives you more control over how your emails are authenticated and protected.
- Better Deliverability: Email service providers use various spam filters and reputation algorithms to determine the authenticity of the email. When using your own domain name, you can establish a reputation with the recipient's email servers and increase the chances of the email being delivered to the recipient's inbox. Using a default subdomain under the onmicrosoft.com domain gives no indication that the DKIM key belongs to you and not any random Microsoft365 tenant, effectively diluting your email reputation.
- Allows optimal DMARC configuration: In order to use strict DMARC settings, aligning the DKIM domain with the sending domain is very important. Without this, only 'relaxed' settings can be used, weakening the benefits.
- Customisation: Using your own domain name for DKIM signing allows you to customise the email authentication process to your specific needs and requirements. This allows you to optimise the security of your email communications.
When an email is received and the DKIM signature is verified using your own domain name, it provides a stronger indication that the email is legitimate. This is because your own domain name is directly associated with your brand and reputation, whereas the domain (onmicrosoft.com) provided by your Office365 cloud provider is not.