DKIM cannot retrieve or create keys

Question

I was setting up DKIM through the domain setup and the CNAME records have verified. When I check in security center It shows that it is enabled but there are no keys available. When I click create DKIM keys I receive an error stating that there is an error in retrieving encrypted keys

Answer 1

Instead of the traditional way of putting in DKIM into DNS via dkim keys, Microsoft uses two CNAME records for DKIM. That should be sufficient if done correctly to make your emails DKIM compliant.

https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure

Answer 2

Dear hscomposite,

Thank you for reaching out to Microsoft Community. We are happy to assist you.

I'm sorry to hear that you're encountering an issue with DKIM key creation. Sometimes, toggling the DKIM setting off and then back on can help resolve issues.

You can also use PowerShell to get the DKIM keys.

To install and connect, use the following commands:

Set-ExecutionPolicy RemoteSigned
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

To create a DKIM signing configuration for the domain "example.com" and set it to be disabled initially, use the following command:

New-DkimSigningConfig -DomainName "example.com" -Enabled $false

To create/retrieve the DKIM signing configuration for a domain using the Get-DkimSigningConfig command, use:

Get-DkimSigningConfig -Identity "example.com" | Format-List Selector1CNAME, Selector2CNAME

After publishing DKIM keys, you need to wait for propagation which might take up to 24 hours. Then, you can enable it from the admin portal or by using the following PowerShell command:

Set-DkimSigningConfig -Identity "example.com" -Enabled $true

Reference: How to use DKIM for email in your custom domain - Microsoft Defender for Office 365 | Microsoft Learn

I hope this helps. If the issue still persists after trying these steps, please raise a support ticket from the admin portal so our front-line support team can help you recover the DKIM keys from backend tools. If needed, a front-line technical support engineer can also have a specific support team investigate further.

Due to the limited permissions and access resources of our forum moderators, we are unable to collect or share certain types of log information in public forums for this reason and for the privacy of our users' data. 

For the standard procedure information provided above, in your organization, Office 365 Global Admins may need to contact the Office 365 support team on the backend through an open service request so that they can diagnose this particular scenario with some more technical resources,  

For this standard procedure, the following is the official documentation that Global Admins refer to: Get support - Microsoft 365 admin | Microsoft Learn (Online option). 

Note: If you are an end-user person, you may need to contact the Office 365 Global Administrator in your business organization to contact a Technical Support Engineer for further processing.  

Important: If any of your organization's Office 365 Business/Business/Education subscriptions are from a federated partner or reseller and the global admin can't open a service request on their end, they may need to contact the reseller's support provider so they can help the global admin open the service request on their end. After that, the Office 365 support team will participate in the service request that was created. 

Thank you very much for your valuable time in your cooperation.

Sincerely

Feroz Mahmud | Microsoft Community Moderator