Forum Discussion

Alanjmcf's avatar
Alanjmcf
Brass Contributor
Jan 21, 2020

DKIM selector1 record missing at 365

Anyone else seeing DNS failures resolving the selector1 TXT record supplied by EXO for each domain?  selector2 is fine. I'm seeing that across my fleet of customer tenants.       @@PS C:\Users\A...
exchange online
office 365
Alanjmcf's avatar
Alanjmcf
Brass Contributor

I’m guessing this is normal intentional behaviour now ie: after a key rotation (and after sufficient time for emails using the old key to be delivered), they remove the old key, and don’t bring a new key back to that selector until the next key rotation.

 

I can’t see any issues that creates for email delivery — a bit annoying for diagnostics tools though!

Pascal Wenders's avatar
Pascal Wenders
Brass Contributor
May 15, 2020

Alanjmcf The strange is that from halve the domains the seclector1 was not available in de DNS from Microsoft office 365. But there was no switchover for this domains inplace.
Only when you make a switch over and reinserting the DKIM key's into de DNS from Microsoft Office 365 it works again, and DMARC gives a valid DKIM signature when sending e-mail.
More domains, not only the one of us, has this problem I think there has been an incident.
When dkimconfig of office 365 says, use Selector1 and the key is not available, then I think there was an issue on microsoft side.
But our dkim issue has been solved after switching command and reinserting the key's into the Office 365 DNS.
I don't know that for every one is this the solution.

To know in the future that the dkim records are away, I have scheduled a powershell script that check every day the presents off this records. Because no good working dkim can impact the delivery of mails

 

  • Omayaki's avatar
    Omayaki
    Copper Contributor
    May 28, 2020

    Pascal Wenders 

    Could you please share the PowerShell scripts to check every day the presents off this records. I am having same issue.

    • Pascal Wenders's avatar
      Pascal Wenders
      Brass Contributor
      Aug 03, 2020

      Omayaki  It is straight true, for us it works.

      $mailfrom = "#####@####.###"
      $mailto = "#####@####.###"
      $subject = "DKIM text record check for domain "
      $body = "Selector"
      $body2 = "is empty"
      $domain = ""
      $extdomain = ""
      $microsoft365 = ""
      $space = " "
      $dot = "."


      $domain = "<domainname without extension, example microsoft"
      $extdomain = "com"
      $microsoft365 = "<domainname>.onmicrosoft.com"

       

      $selector_nr = 1
      $nslookup = nslookup -type=txt selector$selector_nr-$domain-$extdomain._domainkey.$microsoft365
      $subjectmail = "$subject $domain.$extdomain"
      $bodymail = "$body$selector_nr $body2
      Please perform the procedure to correctly set the selector records for this domain"
      If ($nslookup.count -lt 4) { Send-MailMessage -From $mailfrom -to $mailto -SmtpServer <mailserver> -Body $bodymail -Subject $subjectmail }

       

      $selector_nr = 2
      $nslookup = nslookup -type=txt selector$selector_nr-$domain-$extdomain._domainkey.$microsoft365
      $subjectmail = "$subject $domain.$extdomain"
      $bodymail = "$body$selector_nr $body2
      Please perform the procedure to correctly set the selector records for this domain"
      If ($nslookup.count -lt 4) { Send-MailMessage -From $mailfrom -to $mailto -SmtpServer <mailserver> -Body $bodymail -Subject $subjectmail }

       

Resources