In the current article, we will review how to find the value of the “Office…
Rotate DKIM keys in Microsoft 365
DomainKeys Identified Mail (DKIM) is extra security for your outgoing messages. It is essential to rotate the public and private DKIM keys every few months to secure your domain. Once you rotate the DKIM keys, you use new public and private keys to sign and authenticate messages. This article will show you how to rotate DKIM keys in Exchange Admin Center and PowerShell.
Table of contents
- DomainKeys Identified Mail (DKIM)
- Rotate DKIM keys in Exchange Admin Center
- Rotate DKIM keys with PowerShell
- Check DKIM keys rotated
DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM) is an email authentication procedure that helps to prevent email spoofing and make emails more reliable. When you implement DKIM keys to your domains, the recipients know that the emails came from users within the same organization and are not changed in transit.
Before you start, you need to have the DKIM keys configured and enabled for your domain.
Why should I rotate DKIM keys?
DKIM keys consist of private and public key pairs to authenticate mail. It is critically important to use strong keys, but it is also important to rotate DKIM keys regularly. Key rotation helps to minimize the risk of compromising private keys.
If a third-party stole or deciphered your private key, they could “sign” their spam or phishing email with your valid DKIM signature. Negative data signals gathered from those spam or phishing emails then become associated to your domain, causing deliverability problems for your email.
Rotating DKIM keys renders old keys worthless, providing an extra layer of security to help you maintain good deliverability.
How frequently should I rotate DKIM keys?
Now you understand why it is important to rotate DKIM keys. The question is how often you should rotate DKIM keys for any organization. It depends on each organization’s security policy and its risk.
- Low-volume senders: If your organization receives emails from local and regional senders, you should rotate DKIM keys every six months or once a year.
- High-volume senders: If your organization receives emails from international senders frequently, you should rotate DKIM keys monthly or every three months.
- Security breach: If there is a security breach, you should rotate DKIM keys immediately.
Note: For best practices, you should rotate DKIM keys every six months. But if you detect a security system breach, you should change it instantly, even if you rotated it two months ago.
Rotate DKIM keys in Exchange Admin Center
To rotate DKIM keys for a domain in Exchange Online, follow the steps below.
Check DKIM status in Microsoft 365
We have to check if the DKIM keys are enabled before rotating them.
Check the DKIM status in Microsoft 365 portal:
- Sign in to Microsoft 365 Defender portal
- Click on the menu Email & Collaboration
- Click Policies & Rules
- Click on Threat Policies
- Click on Email authentication settings
- Click on DKIM
Note: You can directly go to the DKIM page in Microsoft 365 Defender.
View and rotate DKIM keys in Microsoft 365
On the DomainKeys Identified Mail (DKIM) page, you will see your domains.
- Click on the name of your domain from the list to open the details. In our example, the domain is exoip.com
- Slide the toggle from Disabled to Enabled
- Click on Rotate DKIM keys
You can do these steps for each domain in Microsoft 365 admin center.
Rotate DKIM keys with PowerShell
To rotate DKIM keys for a domain in Exchange Online with PowerShell, follow the steps below.
Connect to Exchange Online PowerShell
First, you must connect to Exchange Online PowerShell as a global administrator.
View DKIM keys status in PowerShell
Get the DomainKeys Identified Mail (DKIM) status for domains in a cloud-based organization, including their validity.
Run the Get-DkimSigningConfig cmdlet.
Get-DkimSigningConfig "exoip.com" | fl Name,isvalid,enabled,status,selector1*,selector2*
The output will show as below example.
PS C:\> Get-DkimSigningConfig "exoip.com" | fl Name,isvalid,enabled,status,selector1*,selector2* Name : exoip.com IsValid : True Enabled : True Status : Valid Selector1KeySize : 2048 Selector1CNAME : selector1-exoip-com._domainkey.exoip365.onmicrosoft.com Selector1PublicKey : v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAXU9fiyN7ydzclwM60wnAXU6CaPjjeM5oqMRW lrKUdeakL35VTVK7vYGDCRowCm9zOYOVuuufx0Fc9edp2DNKp0tQenJOKKczAk0kh6TCJ807S/tLgqCX9epUI+RZmL1wCacEgg 4yVBy6y943AfmyqZXvxZHpSW7f3PN+ACVT/r/bTj2DzsFoms9L8xG+yRm21hSr10GfZdEncVx9adBDkTol0FNYZ/A5JtrIacte 24Axq8AxRn6eynZgVmEdcrJ69shnDmh1ViJFxiE9ADwtpKplISNhdwio530z/X6FBqEk1CE+AanPt2zJIxEsgq087hXK7Fr3/9 2DEXWPGDY+/QIDAQAB; Selector2KeySize : 2048 Selector2CNAME : selector2-exoip-com._domainkey.exoip365.onmicrosoft.com Selector2PublicKey : v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXmhGJWOes+j494nDUhHJNCnpMPNnkkYEllE pQW2NmpB63nqUTfZ0on0z6Fo0bGhRMqfcpT0WFWRN2DWh8rxmJSFdjFVLOS1v4vhft/Q0bwNUvvUTgy0ohUhiOA2S6ILyZNWd7 UsU68cqOQZxWerc7uqDynb0R7FJhaQk7/VoGZjM4pzMJawAGgqILYHrGfAyCoFkwdwLuETaRqTnCDBwjjk0enmzZpwKVPl6z/G 4cx4KSZTDXrdf2SNoEJK9yJI0KSFsSXItT8VdRSL90ZSIxbDqsu2NvBbzWfWElXasjBJLK++LXDbQYEd/W4Hbpgfu/qC8oWtkh N/I5FH9clx8QIDAQAB;
Rotate DKIM keys with PowerShell cmdlet
Run the PowerShell cmdlet below to rotate new DKIM keys for your domain.
Rotate-DkimSigningConfig -Identity "exoip.com" -KeySize "2048"
Check DKIM keys rotated
Check if you rotated the DKIM keys in MxToolbox.
- Type your domain name
- Type selector1
- Click DKIM Lookup
The test results show that the DKIM record for selector1 is published.
Now we need to check selector 2 for the same domain.
- Change the lookup field from selector1 to selector2
- Click DKIM Lookup
The test results show that the DKIM record for selector2 is published.
Read more: Save sent items in shared mailbox »
You have learned to rotate the DKIM keys in Exchange Admin Center and PowerShell. Use the PowerShell cmdlet to rotate DKIM signing policy keys for domains in Exchange Online. Lastly, you can check and verify the DKIM records in MxToolbox by typing the domain name and both selectors.
Did you enjoy this article? You may also like Enable reply all storm protection in Exchange Online. Don’t forget to follow us and share this article.
This Post Has 0 Comments