It seems that in the recent shift-around’s that Microsoft have done of the Office 365 / Microsoft 365 platform, they’ve really screwed up a number of things (see my last post about probems with the Information Protection functionality). The latest one seems to be with DKIM setup for your domain names – what should be an incredibly simple process (turn it on, create two DNS records) is anything but simple and has yet again required a support ticket to Microsoft.
While waiting for a resolution, I found a manual workaround that allowed me to get DKIM working so my emails aren’t being bounced so I figured I’d publish it here.
What is DKIM?
Firstly, let’s describe DKIM and the basics of how it works as it will help explain the workaround. DKIM is short for Domain Keys Identified Mail and is a simple method of allowing the recipient of an email to check that the sender is affiliated with the domain name in the email address. For example, firstname.lastname@example.org send you an email, DKIM provides a way of checking that the message was sent from a server authorssed and able to ‘sign’ emails that the acmeltd.com domain name.
How does it work?
For a detailed version, you need to look up public key cryptography (definately work a read) but a primative summary is that the message is hashed (a unique string of characters is generated from it) and that string of characters is encrypted using a technique that can only be unencrypted with a key that everyone has access via a ‘DNS Record’ – a value linked to my domain name. Remember, we’re not trying to keep a secret with this encryption – just signing it to confirm that it has a provable link to my domain name.
An analogy would be if I sent you a message in a locked box and the key to it was publically available – say chained to the outside of my house. Anyone can come and unlock a box I’ve sent them and know that it stands a good chance the box was sent by me, not just someone pretending to be me.
The Microsoft DKIM Problems
So having setup DKIM in my Microsoft 365 tenancy and created the DNS CNAME records for it (see my guide here), when I tested it with the amazing tool “LearnDmarc” it failed. A bit of diggiing around confirmed that although Microsoft are signing my emails, they haven’t published the public key in the DNS they host for my tenancy (and which I have no control over) so no-one can check the DKIM signature in the emails and it fails.
Microsoft’s own DKIM diagnostic tool (suprisingly) also confirmed this. You can access the tool by:
- Login to the Microsoft 365 Defender Portal (AKA Security & Compliance Center) here: https://security.microsoft.com/
- Click Policies & rules
- Click Threat Policies
- Click DKIM
- Click the question mark symbol in the very top-right corner of the portal (next to your user account initials)
- In the search box that appears, search for DKIM test
Enter your domain name and hit Run Tests.
If you’re issue is the same (Microsoft not publishing the records), you’ll receive an error like this:
The TXT DNS entries for the DKIM configuration for the domain yourdomain.com have not been published or have been published incorrectly. The records which are in error are ‘selector1, selector2’. For each of the DKIM configurations Microsoft publishes a public key entry for the active selector as a DNS TXT records. It has been found that for domain yourdomain.com this step has been done incorrectly, such that the published entries do not match the data in the DKIM configuration. The only recourse is to create a new Support ticket so the DNS data can be republished correctly.
The Solution (well, work around)
What we are going to do here is get the public key that Microsoft are supposed to publish as a TXT in their DNS records for our tenancy (and that we simply create a CNAME pointer to witihn our domain names DNS records). Once we have the key, we will instead put them directly in our own domains DNS records as TXT records (sort of ‘hard coding them’).
So as often seems to be the case these days, you need to bust out the catchily titled “Microsoft Exchange Online Powershell Module” and connect to your Microsoft 365 tenancy.
Get the Microsoft Exchange Online Powershell Module
Skip to the PowerShell commands heading if you already have the Microsoft Exchange Online Powershell Module installed
Firstly, you need to login to Microsoft 365 using the Edge browser because – well – Microsoft.
Then go to the Exchange admin center: https://admin.exchange.microsoft.com/#/homepage
Select the Classic Exchange admin center because – well – Microsoft.: https://outlook.office365.com/ecp/
Click on hybrid from the left hand menu
IMPORANT NOTE: I had to temporarily disable Sophos AV protection for the next step.
Under the text The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely click the configure button
Click Open at the warning message, you should then be presented with a PowerShell prompt
You might be prompted to login again
Get-DkimSigningConfig -Identity seguro.ltd | Format-List
The output should be something like this (sections redacted for security):
The key sections you need to find are the sections that say Selector1PublicKey and Selector2PublicKey:
Selector1PublicKey : v=DKIM1; k=rsa; p=8nGe8+2hRVQylcsmddXqH4IHXDEnwSG9/rnUbjENWiXrLAm5LBa7OkgEzgyhkbihEIiIKGtnNDj8dFHh6yEckWtHQtX7yqYWayPxl3Nk2/fNfXgP02Q34t79P1nMKkgWmIfMlFOdYWVOEH8vX0tqrHXuFsNgQmrLwBqd48nkmhu4IcG+6m5SkGGaq7s+024f3C2QSt3sfRvfgFwEAvp4/oaTV9akZp5o6PhLlWAobbzBmgdX6QPMnE4VYfJsoxO89M+4Op6Bo1x4KGUZ9WMl89WKOdDQ2P9U7hTzJRtm5Tlacac9NvIjtuNnZFN8wWPAuWtrjZ2jE9A1OIILMFR; Selector2PublicKey : v=DKIM1; k=rsa; p=9R2QXMUWMiPkhh+Hsdk6pVpq23FHJXZn1gAO8/BCc7KNTA14KYdtTndqpLvP854Izyz7hhvIZW7FoNmok4x/F/Ovf1aA8YhAgrEzaRyJy4uPp1tnv50/FbrxFvoM5R3G8hqo3a8nToMmx8+MnEaO1OdAA8wYcif/uLnaXImpb5EofvBVKDgVfxGWbb7Lk92w6tixzWtdLbazyop/PXFxDO0yunTujIVLAKsFFvoEs0d0GqHBkfyPqu3qZ4nGUoSdu36bTIxwfUKHlA4A9Rnd9hIm/YCxawbMOsfDaWM89+CEi73rWBdBDVHKgoMsy52/muvxZQSWIBGHjhx8;
You’ll need to carefully remove the linebreaks when you copy/paste it to notepad or similar (I say carefully because its easy to accidentally delete a character and then it won’t work).
You then need to create two TXT records in the DNS for your domain name with a name/host of selector1._domainkey and the value from the Selector1PublicKey above, then another with a name/host of selector2._domainkey and the value from the Selector2PublicKey above.
Caveat / Caution
The problem with the workaround is that if Microsoft change the DKIM keys, because ours are hard-coded they will not update. This is why in the proper setup, you use a CNAME as a pointer to records that Microsoft maintain (well – they are supposed to) – so I would recommend regular testing and hopefully this workaround can be abandoned once Microsoft confirm a fix.