Forum Discussion

Alanjmcf's avatar
Alanjmcf
Brass Contributor
Jan 21, 2020

DKIM selector1 record missing at 365

Anyone else seeing DNS failures resolving the selector1 TXT record supplied by EXO for each domain?  selector2 is fine. I'm seeing that across my fleet of customer tenants.

 

 

 

@@PS C:\Users\AlanMcFarlane\Documents\Temp> Resolve-DnsName -Type cname -Name selector1._domainkey.XXundeesen.org | fl

Name     : selector1._domainkey.XXundeesen.org
Type     : CNAME
TTL      : 14371
Section  : Answer
NameHost : selector1-XXundeesen-org._domainkey.Xsen.onmicrosoft.com


@@PS C:\Users\AlanMcFarlane\Documents\Temp> Resolve-DnsName -Type TXT -Name selector1-XXundeesen-org._domainkey.Xsen.onmicrosoft.com
Resolve-DnsName : selector1-XXundeesen-org._domainkey.Xsen.onmicrosoft.com : DNS name does not exist
At line:1 char:1
+ Resolve-DnsName -Type TXT -Name selector1-XXndeesen-org._domainkey.DS ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (selector1-dunde...onmicrosoft.com:String) [Resolve-DnsName], Win32
   Exception
    + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName


@@PS C:\Users\AlanMcFarlane\Documents\Temp> Resolve-DnsName -Type TXT -Name selector2-XXndeesen-org._domainkey.XSEN.onmicrosoft.com |Fl

Name    : selector2-XXndeesen-org._domainkey.XSEN.onmicrosoft.com
Type    : TXT
TTL     : 3594
Strings : {v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWc7LSbVYlbIU5iacAKqoglZISad9rZBna+O8rc9j5iOMyzvgGuoEtFx8MXyuq2nVQXkVWgjPxbOB4Ov3FYaFDPTJtP4Gc9PcAc+ncu0UTfGgsVlcAU5ahISHr+0xKLJ7EzNtTxvjTeeQV5CtndtAMSfFCMixHzfIn0sRgv1tnlQIDAQAB;}

 

 

 

Domain names slightly modified for privacy!

  • Any updates on this issue?  I've had this same issue for several months now.  I haven't tried rotating yet.

    • Pascal Wenders's avatar
      Pascal Wenders
      Brass Contributor

      From O365 support I got the following reaction:

      As discussed over the call, only 1 selector will be visible globally since one selector works at a time to digitally sign the email. It is the new update from Microsoft that the selector which is active to encrypt the header of the email will be visible globally as public key of that selector only will be available globally on DNS.

      But the rotation was not ready after 12 hours, so DKIM was not ok.
      So I had followed the option to reinsert the TXT key's with
       
      Set-DkimSigningConfig -PublishTxtRecords -Identity %domainname%
       
      And both the selector key's are in the DNS.
      • Pascal Wenders's avatar
        Pascal Wenders
        Brass Contributor

        Additional to work is that you do a rotate. 
        I've seen that making first a rotate, the key's where faster available than without a rotate

        Rotate-DkimSigningConfig -Identity %domainname%

  • Same problem, selector1 is no more existing at the DNS of onmicrosoft.com.
    So I've made a switch over. I think something has gone wrong on the DNS of onmicrosoft.com
    I hope that DMARC shows now aligned DKIM
  • BenInPdx's avatar
    BenInPdx
    Copper Contributor

    Alanjmcf 

    Exact same issue here. Microsoft hosed my selector1 but selector2 was fine. I was also able to fix it with Set-DkimSingingConfig -Identity <mydomain.com> -PublishTxtRecords

     

    I then ran the Dmarcian DKIm inspector on selector1 and it's working again. I was getting a "missing data" error before I fixed it.

     

    Thanks to this thread!

    • Alanjmcf's avatar
      Alanjmcf
      Brass Contributor

      Pierfish 

      I didn't mention that I've changed nothing and this has suddenly affected twenty tenants in the last week (or thereabouts).

       

      That seems set already as I'd expect. (Doesn't appear in Get-'s output.)

      @@PS C:\Users\AlanMcFarlane\Documents\Temp> set-DkimSigningConfig -Identity XXndeesen.org -PublishTxtRecords
      WARNING: The command completed successfully but no settings of 'XXndeesen.org' have been modified.

       

      • I'm seeing the same behavior, and yeah haven't changed a thing here either. Best open a support case, I will ping few folks just as well.

         

        For the record, I fixed it by running:

         

        Rotate-DkimSigningConfig -Identity domain.com

Resources