Friday 11 March 2016

Office 365 DKIM: No DKIM keys saved for this domain

I had the pleasure of enabling DKIM for an Office 365 tenant yesterday. I won't go into any details on how you do it, as that's been covered many times by various bloggers out on the internet.

One thing did get when enabling it however, was that a domain that was added to the tenant afterwards, wasn't able to be enabled for DKIM. It simply sat there stating "No DKIM keys saved for this domain".

This post is on how you resolve it.

So let's take a look at the issue. I login to the Exchange Admin Center, select |Protection, then |dkim

You can see the domain status states "No DKIM keys saved for this domain". If I check others you can see they are either in an enabled state, or available to be enabled:

So how do we resolve it? Well you'll need to use Powershell.

Let's open a session to the tenant and check the status of DKIM signing for all domains by using Get-DkimSigningConfig. You can see in the below Powershell window the domain isn't stated at all.

As '' simply isn't there, we need to add it. To forcefully add it and get Office 365 to realise it's there to use, let's run this Powershell command:

New-DkimSigningConfig –DomainName "The domain that has the error message" –Enabled $true

We will get a CNAME error if we haven't set the CNAME records up, which isn't an issue, just means we'll have to do them before we can enable it.

So what's the status of this domain look like in the EAC now?

Fantastic! You can see the error "No DKIM keys saved for this domain" is removed and we can enable it (once we've done those CNAME records!!)

Out of interest, running Get-DkimSigningConfig now shows the domain in the list and set as disabled.

Oliver Moazzezi – MVP Exchange Server
Twitter: @Olivermoazzezi


Sebastian Brooks said...

Thank you so much.
I couldn't work out why this was happening, you've saved me so much stress.

Oliver Moazzezi said...

Hey No worries - glad to help!

Unknown said...

another thanks from me as well! I just recently migrated about 6 domains over to O365/Exchange Online. I did 5 of them at the same time and the last a few days later. During the migration of the first 5 I noticed the Enable DKIM option was missing. I left it alone overnight and it seemed to have fixed itself (the next day I was able to successfully enable DKIM).
The 6th domain on the other hand never refreshed. I waited a couple of days until I started to get concerned.
I was able to follow your post step-by-step to get the issue resolved.
Thanks again for taking the time to post this!

Aaron S

Unknown said...

Thank you. It works like a charm!

Unknown said...

Thank you! It works like a charm!

trustme - im an engineer! said...

Hi Oliver,

Great guide!

Unfortunately I'm stuck with an office 365 account and custom domain, where I've followed all the steps and have set up the cname entries correctly, but there is no enable button for DKIM in Exchange admin centre. It just displays:
"No DKIM keys saved for this domain."

The powershell command is similarly unhelpful:
PS C:\WINDOWS\system32> New-DkimSigningConfig -DomainName -Enabled $true
Creating a new session for implicit remoting of "New-DkimSigningConfig" command...
Error publishing public key TXT record. Config was not created. Please try again.
+ CategoryInfo : InvalidOperation: (:) [New-DkimSigningConfig], Exception
+ FullyQualifiedErrorId : [Server=MMXP123MB0896,RequestId=2ec224d2-4258-423f-b281-3dd79219702e,TimeStamp=02/10/2017 12:20:51] [FailureCategory=Cmdlet-Exception] CF5F4787,Microsoft.Exchange.Management.SystemConfigurationTasks.NewDkimSigningConfig
+ PSComputerName :

(I get a different error if the cname entries are missing/incorrect, so I'm confident it's not that).

Googling this doesn't turn up much help. I wonder if there is a detail missing. Does this only work if Microsoft host the DNS entries for the domain?

Any advice would be greatly appreciated.


Oliver Moazzezi said...

Glad it has helped you all.

Take care