Close Menu
    Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365
    Exchange

    Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365

    For years, the standard key length was 1024-bit DKIM keys, but hackers continue to develop new methods to break DKIM keys. As a result, the National Institute of Standards and Technology (NIST) recommends 2048-bit keys. In this article, you will learn how to check the DKIM key length and how to upgrade it to 2048 key length in Exchange Online (Microsoft 365).

    What is DomainKeys Identified Mail (DKIM)?

    DomainKeys Identified Mail (DKIM) is an authentication process that can help protect both senders and recipients from forged and phishing email. Add DKIM signatures to your domains, so recipients know that email messages actually came from users in your organization and weren’t modified after they were sent.

    Read more in the article: Configure DKIM record for Office 365.

    Why set a DKIM 2048-bit key?

    A 1024-bit DKIM key can be broken in under 4 days using a cheap, simple cloud server. Once it’s cracked, attackers can send fake emails from that sender’s domain with a valid DKIM signature. These emails can trick mail gateways that have outdated or incomplete DKIM checks into accepting them.

    That’s why it’s essential to set up a DKIM 2048-bit key for all of your domains!

    How to upgrade DKIM 1024-bit keys to 2048-bit keys in Exchange Online

    To upgrade DKIM 1024-bit to 2028-bit keys in Exchange Online, follow the steps below:

    Step 1. Find DKIM selectors

    There are many tools online where you can fill in your domain and scan for DKIM selectors. However, this is not the correct way, as they only look up the most popular selectors.

    We recommend signing in to the domain registrar and finding all the DKIM records for the domain. Once you have all the selectors, write them down and proceed to the next step.

    You might have different applications for which you have set a DKIM record. You must find all the DKIM selectors to check which DKIM key length they have in the next step.

    The DKIM selectors for Microsoft 365 domains are:

    In our example, we only have the Exchange Online DKIM selectors in DNS, and that’s what we will focus on.

    Step 2. Get DKIM keys length

    To get the Exchange Online domain’s DKIM key length for the selectors, follow these steps:

    1. Go to MxToolbox DKIM Record Lookup
    2. Fill in the domain name and the selector
    3. Click on DKIM Lookup
    Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365 checkUpgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365 check
    1. Verify the domain’s DKIM key length and write them down if it’s using a 1024 or 2048 bit key length

    In this example, selector 1 has a 1024-bit DKIM key.

    Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365 selector1Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365 selector1

    Selector 2 has a 2048-bit DKIM key.

    Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365 selector2Upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365 selector2

    You want to have all DKIM keys set as 2048-bit keys. Let’s look at that in the next step.

    Step 3. Upgrade DKIM to 2048-bit keys

    To upgrade your DKIM keys to 2048-bit keys in Exchange Online (Microsoft 365), follow the steps below:

    1. Install Exchange Online PowerShell
    2. Connect to Exchange Online PowerShell
    Connect-ExchangeOnline
    1. Find all the domains and their DKIM key size
    Get-DkimSigningConfig | Format-Table Identity, Selector1KeySize, Selector2KeySize

    The output appears.

    exoip.com                                 1024             2048
exoip365.mail.onmicrosoft.com             2048             2048
exoip365.onmicrosoft.com                  2048             2048

    To get all the information for a single domain.

    Get-DkimSigningConfig -Identity "exoip.com" | Format-List

    To get all the information for all the domains.

    Get-DkimSigningConfig | Format-List
    1. Upgrade DKIM key to 2048-bit for the domain

    Note: Upgrading the key size to 2048 only upgrades the selector that isn’t currently active. After key rotation has taken place, you need to run the command again to upgrade the key size of the other selector. But that’s only possible after 4 days.

    Rotate-DkimSigningConfig -Identity "exoip.com" -KeySize "2048"
    1. Verify that the 2048-bit key is set for the domain
    Get-DkimSigningConfig -Identity "exoip.com" | Format-Table Identity, Selector1KeySize, Selector2KeySize

    The output shows the 2048-bit key

    Identity  Selector1KeySize Selector2KeySize
--------  ---------------- ----------------
exoip.com             2048             2048

    Rotate DKIM keys

    We recommend rotating DKIM keys frequently. The DKIM rotation can be immediate, every couple of months, or once a year. It depends on each organization’s security policy and its risk. Read more in the article Rotate DKIM keys in Microsoft 365.

    Conclusion

    You learned how to upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365. Go through all the domains in Microsoft 365 and create a report of all their DKIM selector key size. Once done, upgrade all the keys to 2048-bit. Remember that you need to rotate the other selector key after 4 days have elapsed.

    Did you enjoy this article? You may also like Protect domain from spam, phishers and viruses. Don’t forget to follow us and share this article.

    Share.

    Related Posts

    Add A Comment

    Comments are closed.