Just in case you are not familiar with what DKIM is all about but still interested, I suggest you first read Use DKIM to validate outbound email sent from your custom domain in Office 365 If you’re looking for detailed instructions how to enable DKIM in Office 365 continue reading.
Prerequisites
- Windows PowerShell
- PowerShell Script Validate-DkimConfig.ps1 download from here
- Access to Exchange Online through PowerShell
- Access to DNS
Update 23.3.2020 The above link to the script is no longer working, so you can get the script from here: https://gist.github.com/alexverboon/cbe8c6964b5af01bfb3f43dd605acee4
Connect to Exchange Online
First we connect to Exchange Online using PowerShell
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking |
MFA Enabled?
If you have Multifactor authentication enabled, make sure you follow these instructions to connect to Exchange Online. Once you have the MFA enabled module installed, you can run the below command and once that has loaded run Connect-EXOPSSession
$CreateEXOPSSession = (Get-ChildItem -Path $env:userprofile -Filter CreateExoPSSession.ps1 -Recurse -ErrorAction SilentlyContinue -Force | Select -Last 1).DirectoryName
. “$CreateEXOPSSession\CreateExoPSSession.ps1” |
If all went fine, you should see something like this:
Check current DKIM configuration status
Run the following command to see current DKIM configuration
Get-DkimSigningConfig |
As we can see, DKIM is not enabled for Verboon.online
Gather required settings for DNS
To enable DKIM we must add two CNAME records to DNS, we use the Validate-DkimConfig cmdlet to provide us with the detailed information we must set in DNS
Load the functions included in validate-dkimconfig.ps1 and then run validate-dkimconfig as shown below.
PS C:\temp> . .\Validate-DkimConfig.ps1
PS C:\temp> validate-dkimconfig -domain verboon.online |
You should get an output as shown in the example below.
The important information is displayed at the very end, with pretty clear instructions.
Registering DKIM in DNS
I host my DNS in Azure, so I am going to add the CNAMES there.
Then run the following command again.
PS C:\temp> validate-dkimconfig -domain verboon.online |
If the DNS records are active, you should see the following output.
Enable DKIM
Now that we have the DNS records published, we can enable DKM. This is done by running the following command
New-DkimSigningConfig -DomainName Verboon.online -Enabled $true
Get-DkimSigningConfig |
And finally, we run the following command again to validate all is configured correctly.
PS C:\temp> validate-dkimconfig -domain verboon.online |
Hello, This is a great article but the link to Validate-DkimConfig.ps1 is not working. I get a 404 error (not found).
Hi Leo, not sure what happened with the original link to github, but i have added the script into my GitHub gist here https://gist.github.com/alexverboon/cbe8c6964b5af01bfb3f43dd605acee4
I am having issues with getting this right. The instructions are pretty clear as you have stated but my results are not.
Are you available at all for assisting with my errors?
Can I post screenshots here?
sorry for the late reply, were you able to get it working?
Wow, great job Alex and thanks! This helped us a lot with some scenarios we were testing.
It is tough to self-check the DKIM config in a concise way and see if everything’s really right. When we stumbled upon your article and script, it really helped us a lot to achieve this for some scenarios we were testing.
We would like to point out one specific, subtle thing about the script that readers testing this script nowadays may really find helpful.
One small tip for anyone who might have noticed this. Microsoft is using 2048 bit keys now.
This script as-is might give false-negatives in terms of key mismatches.
Pay close attention readers – even if your keys match, the script as-is will continue to say they don’t match, even if they obviously match. Why is this?
Well here’s why.
We solved this ourselves and we liked the result.
Just a few lines in the original PowerShell script should be changed and then it will work correctly and stop the false negative.
Here is an example of a line which may cut off 2048 bit keys in the original script:
$txt1Dns.Strings[0].Trim()
Here’s what we changed the line to, in order to make it work for us:
[system.String]::Join(“”, $txt1Dns.Strings.Trim()).Trim()
Yeah, maybe you can have less trims than we have – but the point is the same – it helped us when we made those small changes to the script.
There’s more than this line, you have to change all lines that are somewhat similar to this line and carefully replace appropriately with the right equivalent based on the example given above. We leave it up to readers to figure out the rest themselves. Alex, if you would like we can provide you with the full modified script we used that should be free of all false negatives, but we’ll leave it out of this comment for now.
Also, this guide written assumes a lot of pre-existing expertise. So readers, if you didn’t get it to work for your specific use cases, note that it may not be the fault of this guide.
This guide, in our opinion at least, is really well written. Thanks again Alex for posting this guide!