Recently I was working on a migration project moving a number of domains from a 3rd party mail hygiene solution to Defender for Office 365 and as part of the post migration testing the DKIM signing was failing.
The DKIM information in the message header was appearing as:
dkim=fail (no key for signature)Despite the error the domain appeared to be correctly configured for DKIM:
- The DKIM records were correctly registered in DNS
- DKIM was enabled in the Microsoft 365 Defender Portal, the keys had even been rotated to rule out that as an issue.
- The domain had been registered in Microsoft 365 for some time and was sending and receiving email (albeit through the 3rd party solution)
Solution
The solution in this case was that even though everything appeared to be setup correctly, the domain was not previously fully configured for use with Microsoft 365 so was showing in the Microsoft 365 admin center as have its setup incomplete.
To correct the issue the following steps were undertaken:
- Complete the setup wizard for the domain
- Disable DKIM in the Microsoft 365 Defender Portal for the affected domain
- Re-enable DKIM for that domain
Once these steps were completed the expected headers were now appearing.
dkim=pass (signature was verified)Although it might seem simple solution, it was a perplexing problem that a domain that had been in use for quite some time, was having DKIM issues. It also raised the question if the Defender Portal should display an error if you attempt to enable DKIM for a domain where the setup is not 100% complete.
