DKIM Key Rotation now results in invalid DKIM signature

Copper Contributor

Hi,

 

In office 365 exchange admin center, DKIM, I clicked to Rotate the DKIM keys.

The status for my domain now says "Rotating keys for this domain and signing DKIM signatures."

 

I was in the belief that Microsoft designed this process to be non-intrusive, by having two selectors.

 

However, for me it doesn't work non-intrusive at all. Since I requested dkim key rotation all our outgoing emails result in an error at receiving domains, saying the DKIM signature of the email is invalid. I've checked the headers, and indeed our outgoing emails now refer to selector2 instead of selector1.

 

1) how long does it take before the status changes from "rotating keys" back to "Signing DKIM signatures for this domain."? It's been like this already for a few hours.

 

2) how is it possible that rotating keys all of a sudden invalidates the signature?

 

3) how can I rotate back to selector1 as apparently this was a working situation versus selector2 resulting in invalid signatures?

 

Thank you,

Patrick

 

2 Replies

@patrickcoom Hello Patrick, I'm on the run so just gonna attach this link in case you haven't seen it. It should at least shed some light on the process https://docs.microsoft.com/sv-se/microsoft-365/security/office-365-security/use-dkim-to-validate-out...

 

I assume your not using any custom domains. Typically Microsoft automatically rotates your DKIM keys. Did you upgrade to 2048? By the way, it's very common with DNS misconfiguration.