Forum Discussion
DKIM selector1 record missing at 365
Anyone else seeing DNS failures resolving the selector1 TXT record supplied by EXO for each domain? selector2 is fine. I'm seeing that across my fleet of customer tenants. @@PS C:\Users\A...
I've created also a support case
From O365 support I got the following reaction:
As discussed over the call, only 1 selector will be visible globally since one selector works at a time to digitally sign the email. It is the new update from Microsoft that the selector which is active to encrypt the header of the email will be visible globally as public key of that selector only will be available globally on DNS.
But the rotation was not ready after 12 hours, so DKIM was not ok.
So I had followed the option to reinsert the TXT key's withSet-DkimSigningConfig -PublishTxtRecords -Identity %domainname%And both the selector key's are in the DNS.Additional to work is that you do a rotate.
I've seen that making first a rotate, the key's where faster available than without a rotateRotate-DkimSigningConfig -Identity %domainname%
I’m guessing this is normal intentional behaviour now ie: after a key rotation (and after sufficient time for emails using the old key to be delivered), they remove the old key, and don’t bring a new key back to that selector until the next key rotation.
I can’t see any issues that creates for email delivery — a bit annoying for diagnostics tools though!
