Rotate DKIM keys in Microsoft 365

DomainKeys Identified Mail (DKIM) is extra security for your outgoing messages. It is essential to rotate the public and private DKIM keys every few months to secure your domain. Once you rotate the DKIM keys, you use new public and private keys to sign and authenticate messages. This article will show you how to rotate DKIM keys in Exchange Admin Center and PowerShell. ## DomainKeys Identified Mail (DKIM) DomainKeys Identified Mail (DKIM) is an email authentication procedure that helps to prevent email spoofing and make emails more reliable. When you implement DKIM keys to your domains, the recipients know that the emails came from users within the same organization and are not changed in transit. Before you start, you need to have the DKIM keys configured and enabled for your domain. ### Why should I rotate DKIM keys? DKIM keys consist of private and public key pairs to authenticate mail. It is critically important to use strong keys, but it is also important to rotate DKIM keys regularly. Key rotation helps to minimize the risk of compromising private keys. If a third-party stole or deciphered your private key, they could “sign” their spam or phishing email with your valid DKIM signature. Negative data signals gathered from those spam or phishing emails then become associated to your domain, causing deliverability problems for your email. Rotating DKIM keys renders old keys worthless, providing an extra layer of security to help you maintain good deliverability. ### How frequently should I rotate DKIM keys? Now you understand why it is important to rotate DKIM keys. The question is how often you should rotate DKIM keys for any organization. It depends on each organization’s security policy and its risk. - **Low-volume senders:** If your organization receives emails from local and regional senders, you should rotate DKIM keys every six months or once a year. - **High-volume senders:** If your organization receives emails from international senders frequently, you should rotate DKIM keys monthly or every three months. - **Security breach:** If there is a security breach, you should rotate DKIM keys immediately. **Note:** For best practices, you should rotate DKIM keys every six months. But if you detect a security system breach, you should change it instantly, even if you rotated it two months ago. ## Rotate DKIM keys in Exchange Admin Center To rotate DKIM keys for a domain in Exchange Online, follow the steps below. ### Check DKIM status in Microsoft 365 We have to check if the DKIM keys are enabled before rotating them. Check the DKIM status in Microsoft 365 portal: 1. Sign in to [Microsoft 365 Defender portal](https://security.microsoft.com/) 2. Click on the menu **Email & Collaboration** 3. Click **Policies & Rules** 4. Click on **Threat Policies** ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-policies.png]] 5. Click on **Email authentication settings** ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-email.png]] 6. Click on **DKIM** ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-page.png]] ### View and rotate DKIM keys in Microsoft 365 On the DomainKeys Identified Mail (DKIM) page, you will see your domains. 1. Click on the name of your domain from the list to open the details. In our example, the domain is **exoip.com** 2. Slide the toggle from Disabled to **Enabled** 3. Click on **Rotate DKIM keys** You can do these steps for each domain in Microsoft 365 admin center. ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-details.png]] ## Rotate DKIM keys with PowerShell To rotate DKIM keys for a domain in Exchange Online with PowerShell, follow the steps below. ### Connect to Exchange Online PowerShell First, you must [connect to Exchange Online PowerShell](https://o365info.com/connect-exchange-online-powershell/) as a global administrator. ### View DKIM keys status in PowerShell Get the DomainKeys Identified Mail (DKIM) status for domains in a cloud-based organization, including their validity. Run the [Get-DkimSigningConfig](https://learn.microsoft.com/en-us/powershell/module/exchange/get-dkimsigningconfig?view=exchange-ps) cmdlet. The output will show as below example. ### Rotate DKIM keys with PowerShell cmdlet Run the PowerShell cmdlet below to rotate new DKIM keys for your domain. ## Check DKIM keys rotated Check if you rotated the DKIM keys in [MxToolbox](https://mxtoolbox.com/dkim.aspx). 1. Type your **domain name** 2. Type **selector1** 3. Click **DKIM Lookup** ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-selector1.png]] The test results show that the DKIM record for selector1 is published. ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-test-selector1.png]] Now we need to check selector 2 for the same domain. 1. Change the lookup field from selector1 to **selector2** 2. Click **DKIM Lookup** The test results show that the DKIM record for selector2 is published. ![[Rotate-DKIM-keys-in-Exchange-and-PowerShell-test-selector2.png]] That’s it! ## Conclusion You have learned to rotate the DKIM keys in Exchange Admin Center and PowerShell. Use the PowerShell cmdlet to rotate DKIM signing policy keys for domains in Exchange Online. Lastly, you can check and verify the DKIM records in MxToolbox by typing the domain name and both selectors. ## Sources [Rotate DKIM keys in Microsoft 365 - o365info](https://o365info.com/rotate-dkim-keys/)