Rotate your DKIM Signing Keys in Exchange Online

Andres Bohren
Rotate your DKIM Signing Keys in Exchange Online

Hi All,

A few Days ago i did read the following Article about DKIM Signing Keys at Heise Online

One of the key Messages is this:

The attempt shows that RSA keys with a length of 384, 512 or 768 bits can be cracked with little effort. But 1024-bit DKIM keys are no longer “state of the art” today, but are often still accepted for reasons of compatibility.

Exchange Online

Let’s have a look in the DKIM Signing Configuration in Exchange Online.

As you can see there are several Domains that still have a DKIM Key that is still set to 1024 Bit.

Connect-ExchangeOnline -ShowBanner:$false
Get-DkimSigningConfig | fl Domain, selector1keysize, selector2keysize, enabled

You can also check your DKIM Key with MXToolbox

domain.tld:selector

Selector1 has still a Keylenght of 1024 Bits

Let’s view all the details for the domain

Get-DkimSigningConfig -Identity icewolf.ch | fl

Let’s rotate the key

Rotate-DkimSigningConfig -Identity icewolf.ch

Now both DKIM Keys have 2048 Bits. You can see the “RotateOnDate” Attribute has changed to four Days in the Future.

Get-DkimSigningConfig -Identity icewolf.ch | fl

Let’s check again with MXToolbox the selector2

Let’s fix the other Domains too. As you can see, you can’t rotate twice. You have to wait for the RotateOnDate to pass.

Rotate-DkimSigningConfig -Identity icewolfch.onmicrosoft.com
Rotate-DkimSigningConfig -Identity icewolfch.mail.onmicrosoft.com
Get-DkimSigningConfig -Identity icewolfch.mail.onmicrosoft.com | fl
Rotate-DkimSigningConfig -Identity icewolfch.mail.onmicrosoft.com

Now all Domains have a DKIM Key of 2048 except the one who had two 1024 Keys.

Get-DkimSigningConfig | fl Domain, selector1keysize, selector2keysize, enabled

Defender Portal

You can only see if a Domain has Enabled DKIM in the M365 Defender Portal.

Email Authentication Settings > DKIM

But you can’t see the Details. That’s why you need to use the PowerShell Commands.

Summary

Make sure you keep your DKIM Configuration secure and rotate DKIM Keys if needed.

Regards
Andres Bohren

Exchange Logo

Security Logo