Office 365, DKIM, and a naughty domain name

While helping a customer setup their Office 365 tenant, we ran into an edge case scenario…

An Internet domain name with a hyphen (minus symbol) in it.  Let’s call is domain-name.com.

When you setup DKIM for Office 365, the DKIM ‘selector’ entries you have to create within your domain’s DNS zone are of type CNAME, and they refer to custom entries, hosted by Microsoft for your Office 365 tenant.

An example of this is as follows, per Microsoft:

Host name: selector1._domainkey
Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> 
TTL: 3600

Host name: selector2._domainkey
Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> 
TTL: 3600

Where:

  • For Office 365, the selectors will always be “selector1” or “selector2”.
  • domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:
contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
  • initialDomain is the domain that you used when you signed up for Office 365. Initial domains always end in onmicrosoft.com. For information about determining your initial domain, see Domains FAQ.

Note: The domain name portion (<domainGUID>) of the Fully Qualified Domain Name (FQDN) of contoso.com which is contoso and its Top Level Domain (TLD), .com are not separated as expected with a period in the ‘target’ value of the CNAME records.

Instead, they are separated with a hyphen (minus symbol) as in: contoso-com

So if the delimiter between your domain name and TLD is a hyphen, what happens if your domain itself contains a hyphen (e.g. domain-name.com)?

This is where the trouble comes, but how do you resolve it?

Once you have added your domain name within the Office 365 Admin Portal, under Setup > Domains, and you click on the domain name, take a look at the expected DNS record entries.  Under the proposed MX (mail exchange) record for your domain name, you may be surprised to see extra characters after your domain name, such as “0c” and the original hyphen from your domain name (domain-name.com) completely removed:

domain-name.com. 3600 IN MX 5 domainname-com0c.mail.protection.outlook.com

This subtle change is key to a successful DKIM setup for a domain with a hyphen in its name.

So then we know your DKIM selector CNAME entry target values should read as follows:

selector1-domainname-com0c._domainkey.domainname.onmicrosoft.com

selector2-domainname-com0c._domainkey.domainname.onmicrosoft.com

There you have it!

If this was helpful to you, please share it by Tweeting about your newfound discovery!

Where oh where did my DKIM go?

While helping a customer setup their Microsoft Office 365 tenant this past week, we ran into an issue with enabling DKIM within Exchange Online.

Within the Exchange Admin Center (EAC), under protection > dkim, for each domain, the Enable option was completely missing.

It was a long shot, but I tried enabling it using PowerShell for Exchange Online with the New-DkimSigningConfig command for each domain as follows:

New-DkimSigningConfig -DomainName contoso.com -Enabled $true

ref: Microsoft Docs

Here is what the output looks like upon successfully calling New-DkimSigningConfig:

PS C:\Users\contosoadmin> New-DkimSigningConfig -DomainName mydomain.com -Enabled $true
WARNING: The config was created but can't be enabled because the CNAME records
aren't published. Publish the following two CNAME records, and then enable the
config by using Set-DkimSigningConfig.
selector1-mydomain-com._domainkey.myO365org.onmicrosoft.com
selector2-mydomain-com._domainkey.myO365org.onmicrosoft.com

Domain        Enabled
------        -------
mydomain.com  False

Then, back within the Exchange Admin Center (EAC), under protection > dkim, I can now select the domain I just created a new DKIM Signing Config for, and click to Enable it as seen in the following screen shot.

Before you can Enable it though, you have to add the expected CNAME records to DNS.  I have a separate post covering the required DNS additions.

Thankfully, this worked, and now next to each domain within EAC, DKIM shows as enabled, and presents the expected options “Disable” and “Rotate” (to rotate the DKIM key):

If this post was helpful to you, please Tweet and share it with others.