Friday, 11 March 2016

Office 365 DKIM: No DKIM keys saved for this domain

I had the pleasure of enabling DKIM for an Office 365 tenant yesterday. I won't go into any details on how you do it, as that's been covered many times by various bloggers out on the internet.

One thing did get when enabling it however, was that a domain that was added to the tenant afterwards, wasn't able to be enabled for DKIM. It simply sat there stating "No DKIM keys saved for this domain".

This post is on how you resolve it.

So let's take a look at the issue. I login to the Exchange Admin Center, select |Protection, then |dkim

You can see the domain status states "No DKIM keys saved for this domain". If I check others you can see they are either in an enabled state, or available to be enabled:

So how do we resolve it? Well you'll need to use Powershell.

Let's open a session to the tenant and check the status of DKIM signing for all domains by using Get-DkimSigningConfig. You can see in the below Powershell window the domain isn't stated at all.

As '' simply isn't there, we need to add it. To forcefully add it and get Office 365 to realise it's there to use, let's run this Powershell command:

New-DkimSigningConfig –DomainName "The domain that has the error message" –Enabled $true

We will get a CNAME error if we haven't set the CNAME records up, which isn't an issue, just means we'll have to do them before we can enable it.

So what's the status of this domain look like in the EAC now?

Fantastic! You can see the error "No DKIM keys saved for this domain" is removed and we can enable it (once we've done those CNAME records!!)

Out of interest, running Get-DkimSigningConfig now shows the domain in the list and set as disabled.

Oliver Moazzezi – MVP Exchange Server
Twitter: @Olivermoazzezi


Sebby123 said...

Thank you so much.
I couldn't work out why this was happening, you've saved me so much stress.

Oliver Moazzezi said...

Hey No worries - glad to help!