Where oh where did my DKIM go?

While helping a customer setup their Microsoft Office 365 tenant this past week, we ran into an issue with enabling DKIM within Exchange Online.

Within the Exchange Admin Center (EAC), under protection > dkim, for each domain, the Enable option was completely missing.

It was a long shot, but I tried enabling it using PowerShell for Exchange Online with the New-DkimSigningConfig command for each domain as follows:

New-DkimSigningConfig -DomainName contoso.com -Enabled $true

ref: Microsoft Docs

Here is what the output looks like upon successfully calling New-DkimSigningConfig:

PS C:\Users\contosoadmin> New-DkimSigningConfig -DomainName mydomain.com -Enabled $true
WARNING: The config was created but can't be enabled because the CNAME records
aren't published. Publish the following two CNAME records, and then enable the
config by using Set-DkimSigningConfig.
selector1-mydomain-com._domainkey.myO365org.onmicrosoft.com
selector2-mydomain-com._domainkey.myO365org.onmicrosoft.com

Domain        Enabled
------        -------
mydomain.com  False

Then, back within the Exchange Admin Center (EAC), under protection > dkim, I can now select the domain I just created a new DKIM Signing Config for, and click to Enable it as seen in the following screen shot.

Before you can Enable it though, you have to add the expected CNAME records to DNS.  I have a separate post covering the required DNS additions.

Thankfully, this worked, and now next to each domain within EAC, DKIM shows as enabled, and presents the expected options “Disable” and “Rotate” (to rotate the DKIM key):

If this post was helpful to you, please Tweet and share it with others.

Leave a Reply