Skip to content

Rotate DKIM keys in Microsoft 365

DomainKeys Identified Mail (DKIM) is extra security for your outgoing messages. It is essential to rotate the public and private DKIM keys every few months to secure your domain. Once you rotate the DKIM keys, you use new public and private keys to sign and authenticate messages. This article will show you how to rotate DKIM keys in Exchange Admin Center and PowerShell.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication procedure that helps to prevent email spoofing and make emails more reliable. When you implement DKIM keys to your domains, the recipients know that the emails came from users within the same organization and are not changed in transit.

Before you start, you need to have the DKIM keys configured and enabled for your domain.

Why should I rotate DKIM keys?

DKIM keys consist of private and public key pairs to authenticate mail. It is critically important to use strong keys, but it is also important to rotate DKIM keys regularly. Key rotation helps to minimize the risk of compromising private keys.

If a third-party stole or deciphered your private key, they could “sign” their spam or phishing email with your valid DKIM signature. Negative data signals gathered from those spam or phishing emails then become associated to your domain, causing deliverability problems for your email.

Rotating DKIM keys renders old keys worthless, providing an extra layer of security to help you maintain good deliverability.

How frequently should I rotate DKIM keys?

Now you understand why it is important to rotate DKIM keys. The question is how often you should rotate DKIM keys for any organization. It depends on each organization’s security policy and its risk.

  • Low-volume senders: If your organization receives emails from local and regional senders, you should rotate DKIM keys every six months or once a year.
  • High-volume senders: If your organization receives emails from international senders frequently, you should rotate DKIM keys monthly or every three months.
  • Security breach: If there is a security breach, you should rotate DKIM keys immediately.

Note: For best practices, you should rotate DKIM keys every six months. But if you detect a security system breach, you should change it instantly, even if you rotated it two months ago.

Rotate DKIM keys in Exchange Admin Center

To rotate DKIM keys for a domain in Exchange Online, follow the steps below.

Check DKIM status in Microsoft 365

We have to check if the DKIM keys are enabled before rotating them.

Check the DKIM status in Microsoft 365 portal:

  1. Sign in to Microsoft 365 Defender portal
  2. Click on the menu Email & Collaboration
  3. Click Policies & Rules
  4. Click on Threat Policies
Rotate DKIM keys in Microsoft 365 threat policies
  1. Click on Email authentication settings
Rotate DKIM keys in Microsoft 365 Defender email
  1. Click on DKIM
Rotate DKIM keys in Microsoft 365 Defender page

Note: You can directly go to the DKIM page in Microsoft 365 Defender.

View and rotate DKIM keys in Microsoft 365

On the DomainKeys Identified Mail (DKIM) page, you will see your domains.

  1. Click on the name of your domain from the list to open the details. In our example, the domain is exoip.com
  2. Slide the toggle from Disabled to Enabled
  3. Click on Rotate DKIM keys

You can do these steps for each domain in Microsoft 365 admin center.

Rotate DKIM keys for domain

Rotate DKIM keys with PowerShell

To rotate DKIM keys for a domain in Exchange Online with PowerShell, follow the steps below.

Connect to Exchange Online PowerShell

First, you must connect to Exchange Online PowerShell as a global administrator.

View DKIM keys status in PowerShell

Get the DomainKeys Identified Mail (DKIM) status for domains in a cloud-based organization, including their validity.

Run the Get-DkimSigningConfig cmdlet.

Get-DkimSigningConfig "exoip.com" | fl Name,isvalid,enabled,status,selector1*,selector2*

The output will show as below example.

PS C:\> Get-DkimSigningConfig "exoip.com" | fl Name,isvalid,enabled,status,selector1*,selector2*


Name               : exoip.com
IsValid            : True
Enabled            : True
Status             : Valid
Selector1KeySize   : 2048
Selector1CNAME     : selector1-exoip-com._domainkey.exoip365.onmicrosoft.com
Selector1PublicKey : v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAXU9fiyN7ydzclwM60wnAXU6CaPjjeM5oqMRW
                     lrKUdeakL35VTVK7vYGDCRowCm9zOYOVuuufx0Fc9edp2DNKp0tQenJOKKczAk0kh6TCJ807S/tLgqCX9epUI+RZmL1wCacEgg
                     4yVBy6y943AfmyqZXvxZHpSW7f3PN+ACVT/r/bTj2DzsFoms9L8xG+yRm21hSr10GfZdEncVx9adBDkTol0FNYZ/A5JtrIacte
                     24Axq8AxRn6eynZgVmEdcrJ69shnDmh1ViJFxiE9ADwtpKplISNhdwio530z/X6FBqEk1CE+AanPt2zJIxEsgq087hXK7Fr3/9
                     2DEXWPGDY+/QIDAQAB;
Selector2KeySize   : 2048
Selector2CNAME     : selector2-exoip-com._domainkey.exoip365.onmicrosoft.com
Selector2PublicKey : v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXmhGJWOes+j494nDUhHJNCnpMPNnkkYEllE
                     pQW2NmpB63nqUTfZ0on0z6Fo0bGhRMqfcpT0WFWRN2DWh8rxmJSFdjFVLOS1v4vhft/Q0bwNUvvUTgy0ohUhiOA2S6ILyZNWd7
                     UsU68cqOQZxWerc7uqDynb0R7FJhaQk7/VoGZjM4pzMJawAGgqILYHrGfAyCoFkwdwLuETaRqTnCDBwjjk0enmzZpwKVPl6z/G
                     4cx4KSZTDXrdf2SNoEJK9yJI0KSFsSXItT8VdRSL90ZSIxbDqsu2NvBbzWfWElXasjBJLK++LXDbQYEd/W4Hbpgfu/qC8oWtkh
                     N/I5FH9clx8QIDAQAB;

Rotate DKIM keys with PowerShell cmdlet

Run the PowerShell cmdlet below to rotate new DKIM keys for your domain.

Rotate-DkimSigningConfig -Identity "exoip.com" -KeySize "2048"

Check DKIM keys rotated

Check if you rotated the DKIM keys in MxToolbox.

  1. Type your domain name
  2. Type selector1
  3. Click DKIM Lookup
DKIM record selector 1 check

The test results show that the DKIM record for selector1 is published.

Now we need to check selector 2 for the same domain.

  1. Change the lookup field from selector1 to selector2
  2. Click DKIM Lookup

The test results show that the DKIM record for selector2 is published.

DKIM record selector 2 check

That’s it!

Read more: How to save sent items in shared mailbox »

Conclusion

You have learned to rotate the DKIM keys in Exchange Admin Center and PowerShell. Use the PowerShell cmdlet to rotate DKIM signing policy keys for domains in Exchange Online. Lastly, you can check and verify the DKIM records in MxToolbox by typing the domain name and both selectors.

Did you enjoy this article? You may also like Enable reply all storm protection in Exchange Online. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

  1. How often can you rotate DKIM keys? We’ve been finding selector2 just stops signing and you have to rotate in order to fix it. But then you don’t have an option to rotate keys again, at least not for some time.

Leave a Reply

Your email address will not be published. Required fields are marked *