This article “Get-DkimSigningConfig Helper PowerShell Script August 2020” was initially authored on 8-12-2020 (August 12, 2020) and is intended as a free starter guide to understanding concepts and configurations related to Office 365 DKIM, DMARC and more.
Please be advised, this information is not guaranteed to be suitable for complete use as a 100% fool-proof guide to configuration of your email deliverability or DKIM or DMARC. Please note that there is a risk you can cause the ceasing of all proper inbound or outbound email and we would advise you to be very careful.
If you are looking for detailed instructions how to enable DKIM in Microsoft Office 365 and you have been confused about CNAME DNS TXT and so forth and are not sure what you’re supposed to even put for CNAMEs at all, how to check if you did it right, and so forth, please continue reading on.
Windows PowerShell
Access to DNS
Access to Exchange Online through PowerShell
PowerShell Script Validate-DkimConfig.ps1 download. You can see the script at the bottom of this post.
Connecting to Exchange Online
First you should connect to Exchange Online using PowerShell as below:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
Is Multi-Factor-Authentication (MFA) Enabled In Your Case?
In the case that you have Multi-factor authentication (MFA) enabled, make sure you follow these instructions below instead to connect to Exchange Online. Once you have the MFA enabled module installed, you can run the below command and once that has loaded run Connect-EXOPSSession.
Please note that this command for MFA in particular was not tested exhaustively by Dynamics Edge – the non-MFA version was tested and found to be working – we cannot guarantee either version will work for you. If it is acceptable to temporarily suspend your MFA for the specific user, you may want to consider turning off MFA for the user for a specific, small window of time, presuming this is allowed for your company policies. Do not disable MFA and do not do anything in this article without professional guidance, both from your company, and from an expert such as Dynamics Edge. We highly recommend that you request a custom Office 365 DKIM Training and Consulting Workshop using this link especially for any questions or concerns you have about following this guide, and what you may need to know that is not spelled out for you in this guide.
$CreateEXOPSSession = (Get-ChildItem -Path $env:userprofile -Filter CreateExoPSSession.ps1 -Recurse -ErrorAction SilentlyContinue -Force | Select -Last 1).DirectoryName
. “$CreateEXOPSSession\CreateExoPSSession.ps1”
If all went fine, you should see something confirming your successful issuing of this command.
Check current DKIM configuration status
Run the following command below to see current DKIM configuration
Gather required settings for DNS
To enable DKIM we must add two CNAME records to DNS, we use the Validate-DkimConfig cmdlet to provide us with the detailed information we must set in DNS
Load the functions included in validate-dkimconfig.ps1 and then run validate-dkimconfig.
Replace “” below with your domain.
PS C:\temp> . .\Validate-DkimConfig.ps1
PS C:\temp> validate-dkimconfig -domain
Please note the dot at the beginning, a space, and then another dot before the slash – this is NOT a typo. It is
. .\Validate-DkimConfig.ps1
Typing in just one dot, or in other words typing .\Validate-DkimConfig.ps1 you should get an error when then typing validate-dkimconfig -domain
This is NOT a typo.
It’s intentionally like this:
. .\Validate-DkimConfig.ps1
Registering DKIM in DNS
Supposing you host DNS in Azure, add the CNAMES there. If you use another DNS, use your dNS control panel to add them over there.
Then run the following command again below.
PS C:\temp> validate-dkimconfig -domain
If you check that the DNS records are active, you should see output saying the keys match andthe CNAMES are active and match the CNAMES for the O365 DKIM Config.
Enable DKIM
Now that we have the DNS records published, it is time to enable DKIM. This is actually done by running the following command below:
New-DkimSigningConfig -DomainName -Enabled $true
Finally, you should run the following command again to validate all is configured correctly as below.
PS C:\temp> validate-dkimconfig -domain
We also recommend you run the validate-dkimconfig -domain command with your domain as well to really understand what this script does. We also recommend you check every line of the script yourself to make sure it does what you think it does. Some organizations do not allow the use of scripts found on the internet – check with your company policy on this.
Please note as of 8-12-2020 we found the script for our purposes largely useful. We do not guarantee that it will work for your scenarios nonetheless, but we can tell you that for some of our purposes we had success.
Note that as of 8-12-2020 we noticed the use of 2048 bit keys, and some lines in the PowerShell were causing false negative reports on key mismatches. Some of the original code in the original PowerShell truncates the 2048 bit keys. This can possibly be solved with small modification to the script.
We solved this for our purposes (and it worked) by replacing all instances of any lines similar to the below:
with something along the lines of this below:
[system.String]::Join("", $txt1Dns.Strings.Trim()).Trim()
This modification should be the case in our version as of 8-12-2020, if you use specifically our version when you test in your non-production or sandbox Office 365 tenants. We cannot guarantee we made modifications that will solve all possible scenarios, nor can we guarantee this script works at all for your scenario.
Script start:
function Validate-DkimConfig
if ($domain) {
$config = Get-DkimSigningConfig -Identity $domain -ErrorAction SilentlyContinue
if ($config) {
Validate-DkimConfigDomain $config -showAll:$showAll
} else {
else {
$configs = Get-DkimSigningConfig
if ($configs -and $configs.Count -gt 0) {
foreach ($config in $configs) { Validate-DkimConfigDomain $config -showAll:$showAll}
} else {
Write-Host "No DKIM Signing Configs Found" -ForegroundColor Yellow
if ($notFound -and $domain) {
Write-Host "Config for domain $($domain) Not Found" -ForegroundColor Yellow
if (!$domain.EndsWith("") -and !$domain.EndsWith("")) {
Validate-DkimCnameOnly $domain
# Performs the main validation of a configuration
function Validate-DkimConfigDomain
# Display the configuration
$domain = $config.Domain;
$onmicrosoft = if ($domain.EndsWith("") -or $domain.EndsWith("")) { $true } else { $false }
$actions = @()
Write-Host "Config for $domain Found..." -ForegroundColor Yellow
if ($showAll) {
$config | fl
else {
$config | Select Identity, Enabled, Status, Selector1CNAME, Selector2CNAME, KeyCreationTime, LastChecked, RotateOnDate, SelectorBeforeRotateonDate, SelectorAfterRotateonDate | fl
if (!$config.Enabled) {
Write-Host "Config $($config.Name) Not Enabled" -ForegroundColor Yellow
$actions += "Config $($config.Name) needs to be Enabled"
# Get the DNS ENtries
Write-Host "Locating DNS Entries..." -ForegroundColor Yellow
$cname1 = "selector1._domainkey.$($domain)"
$cname2 = "selector2._domainkey.$($domain)"
$txt1 = $config.Selector1CNAME;
$txt2 = $config.Selector2CNAME;
$cname1Dns = Resolve-DnsName -Name $cname1 -Type CNAME -ErrorAction SilentlyContinue
$cname2Dns = Resolve-DnsName -Name $cname2 -Type CNAME -ErrorAction SilentlyContinue
$txt1Dns = Resolve-DnsName -Name $txt1 -Type TXT -ErrorAction SilentlyContinue
$txt2Dns = Resolve-DnsName -Name $txt2 -Type TXT -ErrorAction SilentlyContinue
# Validate Entries
Write-Host "Validating DNS Entries..." -ForegroundColor Yellow
Write-Host "Config CNAME1 : $($config.Selector1CNAME)"
if (!$onmicrosoft) {
if ($cname1Dns -and $cname1Dns.NameHost) {
Write-Host "DNS CNAME1 : $($cname1Dns.NameHost)"
Write-Host "TXT Hostname : $($cname1)"
$match = if ($config.Selector1CNAME.Trim() -eq $cname1Dns.NameHost.Trim()) { $true } else { $false }
if ($match) {
write-host "Matched : $($match)" -ForegroundColor Green
} else {
write-host "Matched : $($match)" -ForegroundColor Red
$actions += "Publish CNAME TXT Entry $($cname1) with value $($txt1)"
else {
write-host "DNS NotFound : $($cname1)" -ForegroundColor Red
$actions += "Publish DNS CNAME Entry $($cname1) with value $($txt1)"
Write-Host "Config CNAME2 : $($config.Selector2CNAME)"
if (!$onmicrosoft) {
if ($cname2Dns -and $cname2Dns.NameHost) {
Write-Host "DNS CNAME2 : $($cname2Dns.NameHost)"
Write-Host "TXT Hostname : $($cname2)"
$match = if ($config.Selector2CNAME.Trim() -eq $cname2Dns.NameHost.Trim()) { $true } else { $false }
if ($match) {
write-host "Matched : $($match)" -ForegroundColor Green
} else {
write-host "Matched : $($match)" -ForegroundColor Red
$actions += "Publish DNS CNAME Entry $($cname2) with value $($txt2)"
else {
write-host "DNS NotFound : $($cname2)" -ForegroundColor Red
$actions += "Publish DNS CNAME Entry $($cname2) with value $($txt2)"
Write-Host "Config TXT1 : $($config.Selector1PublicKey)"
if ($txt1Dns -and $txt1Dns.Strings) {
$key = [system.String]::Join("", $txt1Dns.Strings.Trim()).Trim()
Write-Host "DNS TXT1 : $($key)"
$match = if (Compare-PublicAndConfigKeys $key $config.Selector1PublicKey) { $true } else { $false }
if ($match) {
write-host "Key Match : $($match)" -ForegroundColor Green
} else {
write-host "Key Match : $($match)" -ForegroundColor Red
$actions += "Public Key in TXT Entry $($txt1) needs to be republished..."
else {
write-host "DNS NotFound : $($txt1)" -ForegroundColor Red
$actions += "Microsoft TXT Entry $($txt1) not found so Signing Config needs to be recreated..."
Write-Host "Config TXT2 : $($config.Selector2PublicKey)"
if ($txt2Dns -and $txt2Dns.Strings) {
$key = [system.String]::Join("", $txt2Dns.Strings.Trim()).Trim()
Write-Host "DNS TXT2 : $($key)"
$match = if (Compare-PublicAndConfigKeys $key $config.Selector2PublicKey) { $true } else { $false }
if ($match) {
write-host "Key Match : $($match)" -ForegroundColor Green
} else {
write-host "Key Match : $($match)" -ForegroundColor Red
$actions += "Public Key in TXT Entry $($txt2) needs to be republished..."
else {
write-host "DNS NotFound : $($txt2)" -ForegroundColor Red
$actions += "Microsoft TXT Entry $($txt2) not found so Signing Config needs to be recreated..."
# Write out neccessary Actions
if ($actions.Count -gt 0) {
Write-Host "Required Actions..." -ForegroundColor Yellow
foreach ($action in $actions) { write-host $action}
# Performs a validation of the Dkim CNAMES
function Validate-DkimCnameOnly
# Get the DNS Entries
Write-Host "Locating DNS Entries..." -ForegroundColor Yellow
$cname1 = "selector1._domainkey.$($domain)"
$cname2 = "selector2._domainkey.$($domain)"
$cname1Dns = Resolve-DnsName -Name $cname1 -Type CNAME -ErrorAction SilentlyContinue
$cname2Dns = Resolve-DnsName -Name $cname2 -Type CNAME -ErrorAction SilentlyContinue
if ($cname1Dns) {
Write-Host "DNS CNAME1 : $($cname1)" -ForegroundColor Green
Write-Host "Host Value : $($cname1Dns.NameHost)"
else {
write-host "CNAME1 NotFound : $($cname1)" -ForegroundColor Red
if ($cname2Dns) {
Write-Host "DNS CNAME2 : $($cname2)" -ForegroundColor Green
Write-Host "Host Value : $($cname2Dns.NameHost)"
else {
write-host "CNAME2 NotFound : $($cname2)" -ForegroundColor Red
# Compares public and published keys
function Compare-PublicAndConfigKeys([string] $publicKey, [string] $configKey)
$match = $false;
if (![string]::IsNullOrWhiteSpace($publicKey) -and ![string]::IsNullOrWhiteSpace($configKey)) {
$regex = "p=(.*?);"
$foundPublic = $publicKey -match $regex
$publicValue = if ($foundPublic) { $matches[1] } else { $null }
$foundConfig = $configKey -match $regex
$configValue = if ($foundConfig) { $matches[1] } else { $null }
if ($foundPublic -and $foundConfig) {
if ($publicValue.Trim() -eq $configValue.Trim()) {
$match = $true;
We hope you enjoyed this and found this helpful.
