Hey everyone,
I'm having a strange issue with DKIM configuration for one of my domains. Usually, setting up DKIM is a breeze, but this time it's throwing me off. I'm using the Microsoft DKIM setup page, where you just copy and paste the info into your DNS server. However, I've noticed that for my domain, the values appear to be incomplete, particularly missing the .com.
Here's what I have:
- Host Name: selector1._domainkey
- Points to: selector1-mydomain-org._domainkey.tenantdomain.w-v1.dkim.mail.microsoft
And for the second selector:
- Host Name: selector2._domainkey
- Points to: selector2-mydomain-org._domainkey.tenantdomain.w-v1.dkim.mail.microsoft
In my DNS, I'm concluding with: selector2-mydomain-org._domainkey.tenantdomain.w-v1.dkim.mail.microsoft***.com***. That seems logical to me, right?
But whenever I enable "Sign messages for this domain with DKIM signatures," I get an error:
"|Microsoft.Exchange.Management.Tasks.ValidationException|CNAME record does not exist for this config. Please publish the following two CNAME records first..."
Has anyone else encountered this? I'm puzzled about how the value selector2-mydomain-org._domainkey.tenantdomain.w-v1.dkim.mail.microsoft could work without the .com since mail.microsoft isn't a valid domain to me.
**Edit:** I managed to fix the issue by using selector1-mydomain-org._domainkey.tenantdomain.w-v1.dkim.mail.microsoft without the .com! Lesson learned today!
Thanks for your help!
5 Answers
You’re right about the selector; it’s more about relaying the correct information for decryption. Microsoft tends to have its own unique selectors, so just follow their lead with whatever they provide.
Have you checked out Microsoft’s help article on this topic? They have a clear example that might clarify things for you. You can find it [here](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure).
I would recommend trying to run a command like `dig txt selector1-mydomain-org._domainkey.tenantdomain.w-v1.dkim.mail.microsoft` to check if you're able to retrieve a DKIM record. Also, ensure that DKIM is enabled for your `.onmicrosoft.com` tenant domain before you set it up for your custom domain.
Good call! Sometimes it just needs that initial setup to get things rolling.
Just remember that the selector doesn't necessarily have to match a domain name. It’s simply a way to reference the correct DKIM key. Don't worry too much about the specifics as long as it works!
Actually, you’re right in that .microsoft is a valid TLD. The dkf.mail.microsoft part is the new domain Microsoft uses for DKIM records. It’s not missing the .com—just enter it as you see it!
Yeah, definitely dive into that help article—it could save you a lot of headaches!