While instructions from Microsoft are a lot better than they used to be, they are still very broad generally speaking, and have a lot of links. They also generally start from one point and if you are coming at the issue from a different direction or have half a solution already…good luck!
These are my notes on the DKIM setup from my experience of a partial and pre-existing Microsoft Office 365 setup recorded here for my own sanity.
Getting Started
So much of the Microsoft admin experience is now PowerShell, and in a lot of cases only via PowerShell. The Microsoft help guide is overly broad in getting connected to ALL Microsoft Office 365 services in one hit.
If you just want to connect to get DKIM sorted you need to connect to Exchange Online
BUT FIRST…PowerShell
PowerShell seems to becoming an can of worms; so many versions and dependencies that you seem to end up working backwards before you can go forwards.
For anything useful you really need:
- Windows 10
- .Net 4.5
- PowerShell 5.1 or PowerShell Core 6+
Installation snippets
First off you’ll probably need to install “PowerShellGet” if your a relatively new accidental email / security administrator
https://docs.microsoft.com/en-us/powershell/scripting/gallery/installing-psget
Install-Module -Name PowerShellGet -Force
Then you’ll get the warning about not allowing unsigned content so enable that
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies
Set-ExecutionPolicy RemoteSigned
Now we can install the Exchange Online PowerShell V2 Module (EXO v2)
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2
Install-Module -Name ExchangeOnlineManagement
Or if you think you already have the module installed you can check and update like this
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
Update-Module -Name ExchangeOnlineManagement
Connect to Exchange Online for accounts with MFA enabled
You DO have MFA on for ALL your administrative accounts don’t you? I wouldn’t expect anything less so that’s the only step I’m personally detailing here.
Connect-ExchangeOnline -UserPrincipalName <emailWithAdminRights> -ShowProgress $true
After this you may be prompted for your MFA authentication, or not if your machine and account are AzureAD joined. Some module information is displayed and checked, but once the prompt returns you are ready to proceed.
Back to DKIM
To setup the DKIM authentication method for your email you need:
- Add two (2) DNS CNAME records over at your DNS provider
- Enable DKIM on your Microsoft
Office365 domain account
If you have had your Microsoft Office 365 setup for a while or just want to check what is going on before you start entering random PowerShell commands into your system try this.
Get-DkimSigningConfig -Identity <domainName> | Format-List
Depending on the state of your setup and what you configured before, what happens next determines the additional steps you might need to take.
Values returned
If you get a list of values back, look for the “Selector<n>KeySize” values (<n> being 1 and 2) and check the Enabled values.
If not enabled, first enable
Set-DkimSigningConfig -Identity <domainName> -Enabled $true
Key only 1024-bit
Manually upgrade your 1024-bit keys to 2048-bit
Rotate-DkimSigningConfig -KeySize 2048 -Identity <domainName>
No values returned
If you get nothing back you’ve not been down this path before, so create.
(using the new, improved 2048 bit security keys)
New-DkimSigningConfig -DomainName <domainName> -KeySize 2048 -Enabled $false
Once created extract the CNAME values you will need to apply at your DNS provider
Get-DkimSigningConfig -Identity <domainName> | Format-List Selector1CNAME, Selector2CNAME
Then, enable the new settings and keys
Set-DkimSigningConfig -Identity <domainName> -Enabled $true
DNS records
Finally, go to your DNS provider and add two new CNAME entries. selector1 and selector2
Host name:
selector1._domainkey
Points to address or value:
selector1-<domainGUID>._domainkey.<initialDomain>
TTL:
3600 (1 hour)
Example: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
Check and Validate
Confirm DKIM is enabled and working
Remember, it’s not valid until you test and check.
If you send a mail from your newly protected Microsoft Office 365 domain to Gmail for example, once the mail arrives click the 3 dots for more below the title of the email and choose “Show Original”
Along with the dates, from and to the SPF and DKIM status will be shown. If everything is working it will say ‘PASS’
Further down in Gmail you will see the full header of the email where you will see more detail on DKIM.
For the official documentation check out Microsoft here
https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email