Forum Discussion

Alanjmcf's avatar
Alanjmcf
Brass Contributor
Jan 21, 2020

DKIM selector1 record missing at 365

Anyone else seeing DNS failures resolving the selector1 TXT record supplied by EXO for each domain?  selector2 is fine. I'm seeing that across my fleet of customer tenants.       @@PS C:\Users\A...
exchange online
office 365
Pascal Wenders's avatar
Pascal Wenders
Brass Contributor
May 13, 2020
I've created also a support case
Pascal Wenders's avatar
Pascal Wenders
Brass Contributor
May 14, 2020

From O365 support I got the following reaction:

As discussed over the call, only 1 selector will be visible globally since one selector works at a time to digitally sign the email. It is the new update from Microsoft that the selector which is active to encrypt the header of the email will be visible globally as public key of that selector only will be available globally on DNS.

But the rotation was not ready after 12 hours, so DKIM was not ok.
So I had followed the option to reinsert the TXT key's with
 
Set-DkimSigningConfig -PublishTxtRecords -Identity %domainname%
 
And both the selector key's are in the DNS.
  • Pascal Wenders's avatar
    Pascal Wenders
    Brass Contributor
    May 14, 2020

    Additional to work is that you do a rotate. 
    I've seen that making first a rotate, the key's where faster available than without a rotate

    Rotate-DkimSigningConfig -Identity %domainname%

    • Alanjmcf's avatar
      Alanjmcf
      Brass Contributor
      May 14, 2020

      I’m guessing this is normal intentional behaviour now ie: after a key rotation (and after sufficient time for emails using the old key to be delivered), they remove the old key, and don’t bring a new key back to that selector until the next key rotation.

       

      I can’t see any issues that creates for email delivery — a bit annoying for diagnostics tools though!

      • Pascal Wenders's avatar
        Pascal Wenders
        Brass Contributor
        May 15, 2020

        Alanjmcf The strange is that from halve the domains the seclector1 was not available in de DNS from Microsoft office 365. But there was no switchover for this domains inplace.
        Only when you make a switch over and reinserting the DKIM key's into de DNS from Microsoft Office 365 it works again, and DMARC gives a valid DKIM signature when sending e-mail.
        More domains, not only the one of us, has this problem I think there has been an incident.
        When dkimconfig of office 365 says, use Selector1 and the key is not available, then I think there was an issue on microsoft side.
        But our dkim issue has been solved after switching command and reinserting the key's into the Office 365 DNS.
        I don't know that for every one is this the solution.

        To know in the future that the dkim records are away, I have scheduled a powershell script that check every day the presents off this records. Because no good working dkim can impact the delivery of mails

         

Resources