Forum Discussion
Alanjmcf
Jan 21, 2020Brass Contributor
DKIM selector1 record missing at 365
Anyone else seeing DNS failures resolving the selector1 TXT record supplied by EXO for each domain? selector2 is fine. I'm seeing that across my fleet of customer tenants.
@@PS C:\Users\AlanMcFarlane\Documents\Temp> Resolve-DnsName -Type cname -Name selector1._domainkey.XXundeesen.org | fl
Name : selector1._domainkey.XXundeesen.org
Type : CNAME
TTL : 14371
Section : Answer
NameHost : selector1-XXundeesen-org._domainkey.Xsen.onmicrosoft.com
@@PS C:\Users\AlanMcFarlane\Documents\Temp> Resolve-DnsName -Type TXT -Name selector1-XXundeesen-org._domainkey.Xsen.onmicrosoft.com
Resolve-DnsName : selector1-XXundeesen-org._domainkey.Xsen.onmicrosoft.com : DNS name does not exist
At line:1 char:1
+ Resolve-DnsName -Type TXT -Name selector1-XXndeesen-org._domainkey.DS ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (selector1-dunde...onmicrosoft.com:String) [Resolve-DnsName], Win32
Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
@@PS C:\Users\AlanMcFarlane\Documents\Temp> Resolve-DnsName -Type TXT -Name selector2-XXndeesen-org._domainkey.XSEN.onmicrosoft.com |Fl
Name : selector2-XXndeesen-org._domainkey.XSEN.onmicrosoft.com
Type : TXT
TTL : 3594
Strings : {v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWc7LSbVYlbIU5iacAKqoglZISad9rZBna+O8rc9j5iOMyzvgGuoEtFx8MXyuq2nVQXkVWgjPxbOB4Ov3FYaFDPTJtP4Gc9PcAc+ncu0UTfGgsVlcAU5ahISHr+0xKLJ7EzNtTxvjTeeQV5CtndtAMSfFCMixHzfIn0sRgv1tnlQIDAQAB;}
Domain names slightly modified for privacy!
- MantisTobogganMDCopper Contributor
Any updates on this issue? I've had this same issue for several months now. I haven't tried rotating yet.
- Pascal WendersBrass Contributor
MantisTobogganMD
after rotating we had had no issues again
- Pascal WendersBrass ContributorI've created also a support case
- Pascal WendersBrass Contributor
From O365 support I got the following reaction:
As discussed over the call, only 1 selector will be visible globally since one selector works at a time to digitally sign the email. It is the new update from Microsoft that the selector which is active to encrypt the header of the email will be visible globally as public key of that selector only will be available globally on DNS.
But the rotation was not ready after 12 hours, so DKIM was not ok.
So I had followed the option to reinsert the TXT key's withSet-DkimSigningConfig -PublishTxtRecords -Identity %domainname%And both the selector key's are in the DNS.- Pascal WendersBrass Contributor
Additional to work is that you do a rotate.
I've seen that making first a rotate, the key's where faster available than without a rotateRotate-DkimSigningConfig -Identity %domainname%
- Pascal WendersBrass ContributorSame problem, selector1 is no more existing at the DNS of onmicrosoft.com.
So I've made a switch over. I think something has gone wrong on the DNS of onmicrosoft.com
I hope that DMARC shows now aligned DKIM - BenInPdxCopper Contributor
Exact same issue here. Microsoft hosed my selector1 but selector2 was fine. I was also able to fix it with Set-DkimSingingConfig -Identity <mydomain.com> -PublishTxtRecords
I then ran the Dmarcian DKIm inspector on selector1 and it's working again. I was getting a "missing data" error before I fixed it.
Thanks to this thread!
- Pierfish
Microsoft
- AlanjmcfBrass Contributor
I didn't mention that I've changed nothing and this has suddenly affected twenty tenants in the last week (or thereabouts).
That seems set already as I'd expect. (Doesn't appear in Get-'s output.)
@@PS C:\Users\AlanMcFarlane\Documents\Temp> set-DkimSigningConfig -Identity XXndeesen.org -PublishTxtRecords WARNING: The command completed successfully but no settings of 'XXndeesen.org' have been modified.
I'm seeing the same behavior, and yeah haven't changed a thing here either. Best open a support case, I will ping few folks just as well.
For the record, I fixed it by running:
Rotate-DkimSigningConfig -Identity domain.com