Setting up DKIM for Microsoft 365

While instructions from Microsoft are a lot better than they used to be, they are still very broad generally speaking, and have a lot of links. They also generally start from one point and if you are coming at the issue from a different direction or have half a solution already…good luck!

These are my notes on the DKIM setup from my experience of a partial and pre-existing Microsoft Office 365 setup recorded here for my own sanity.

Getting Started

So much of the Microsoft admin experience is now PowerShell, and in a lot of cases only via PowerShell. The Microsoft help guide is overly broad in getting connected to ALL Microsoft Office 365 services in one hit.
If you just want to connect to get DKIM sorted you need to connect to Exchange Online

BUT FIRST…PowerShell

PowerShell seems to becoming an can of worms; so many versions and dependencies that you seem to end up working backwards before you can go forwards.
For anything useful you really need:

  • Windows 10
  • .Net 4.5
  • PowerShell 5.1 or PowerShell Core 6+

Installation snippets

First off you’ll probably need to install “PowerShellGet” if your a relatively new accidental email / security administrator
https://docs.microsoft.com/en-us/powershell/scripting/gallery/installing-psget

Install-Module -Name PowerShellGet -Force

Then you’ll get the warning about not allowing unsigned content so enable that
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies

Set-ExecutionPolicy RemoteSigned

Now we can install the Exchange Online PowerShell V2 Module (EXO v2)
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2

Install-Module -Name ExchangeOnlineManagement

Or if you think you already have the module installed you can check and update like this

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

Update-Module -Name ExchangeOnlineManagement

Connect to Exchange Online for accounts with MFA enabled

You DO have MFA on for ALL your administrative accounts don’t you? I wouldn’t expect anything less so that’s the only step I’m personally detailing here.

Connect-ExchangeOnline -UserPrincipalName <emailWithAdminRights> -ShowProgress $true

After this you may be prompted for your MFA authentication, or not if your machine and account are AzureAD joined. Some module information is displayed and checked, but once the prompt returns you are ready to proceed.

Back to DKIM

To setup the DKIM authentication method for your email you need:

  1. Add two (2) DNS CNAME records over at your DNS provider
  2. Enable DKIM on your Microsoft Office 365 domain account

If you have had your Microsoft Office 365 setup for a while or just want to check what is going on before you start entering random PowerShell commands into your system try this.

Get-DkimSigningConfig -Identity <domainName> | Format-List

Depending on the state of your setup and what you configured before, what happens next determines the additional steps you might need to take.

Values returned

If you get a list of values back, look for the “Selector<n>KeySize” values (<n> being 1 and 2) and check the Enabled values.
If not enabled, first enable

Set-DkimSigningConfig -Identity <domainName>  -Enabled $true

Key only 1024-bit

Manually upgrade your 1024-bit keys to 2048-bit

Rotate-DkimSigningConfig -KeySize 2048 -Identity <domainName> 

No values returned

If you get nothing back you’ve not been down this path before, so create.
(using the new, improved 2048 bit security keys)

New-DkimSigningConfig -DomainName <domainName> -KeySize 2048 -Enabled $false

Once created extract the CNAME values you will need to apply at your DNS provider

Get-DkimSigningConfig -Identity <domainName> | Format-List Selector1CNAME, Selector2CNAME 

Then, enable the new settings and keys

Set-DkimSigningConfig -Identity <domainName>  -Enabled $true

DNS records

Finally, go to your DNS provider and add two new CNAME entries. selector1 and selector2

Host name:            
selector1._domainkey

Points to address or value:    
selector1-<domainGUID>._domainkey.<initialDomain>

TTL:                
3600 (1 hour)

Example: selector1-contoso-com._domainkey.contoso.onmicrosoft.com

Check and Validate

Confirm DKIM is enabled and working
Remember, it’s not valid until you test and check.

If you send a mail from your newly protected Microsoft Office 365 domain to Gmail for example, once the mail arrives click the 3 dots for more below the title of the email and choose “Show Original”

Along with the dates, from and to the SPF and DKIM status will be shown. If everything is working it will say ‘PASS’

Further down in Gmail you will see the full header of the email where you will see more detail on DKIM.

For the official documentation check out Microsoft here
https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email

Leave a Reply

Your email address will not be published. Required fields are marked *