For years, the standard key length was 1024-bit DKIM keys, but hackers continue to develop new methods to break DKIM keys. As a result, the National Institute of Standards and Technology (NIST) recommends 2048-bit keys. In this article, you will learn how to check the DKIM key length and how to upgrade it to 2048 key length in Exchange Online (Microsoft 365).
What is DomainKeys Identified Mail (DKIM)?
DomainKeys Identified Mail (DKIM) is an authentication process that can help protect both senders and recipients from forged and phishing email. Add DKIM signatures to your domains, so recipients know that email messages actually came from users in your organization and weren’t modified after they were sent.
Read more in the article: Configure DKIM record for Office 365.
Why set a DKIM 2048-bit key?
A 1024-bit DKIM key can be broken in under 4 days using a cheap, simple cloud server. Once it’s cracked, attackers can send fake emails from that sender’s domain with a valid DKIM signature. These emails can trick mail gateways that have outdated or incomplete DKIM checks into accepting them.
That’s why it’s essential to set up a DKIM 2048-bit key for all of your domains!
How to upgrade DKIM 1024-bit keys to 2048-bit keys in Exchange Online
To upgrade DKIM 1024-bit to 2028-bit keys in Exchange Online, follow the steps below:
Step 1. Find DKIM selectors
There are many tools online where you can fill in your domain and scan for DKIM selectors. However, this is not the correct way, as they only look up the most popular selectors.
We recommend signing in to the domain registrar and finding all the DKIM records for the domain. Once you have all the selectors, write them down and proceed to the next step.
You might have different applications for which you have set a DKIM record. You must find all the DKIM selectors to check which DKIM key length they have in the next step.
The DKIM selectors for Microsoft 365 domains are:
In our example, we only have the Exchange Online DKIM selectors in DNS, and that’s what we will focus on.
Step 2. Get DKIM keys length
To get the Exchange Online domain’s DKIM key length for the selectors, follow these steps:
- Go to MxToolbox DKIM Record Lookup
- Fill in the domain name and the selector
- Click on DKIM Lookup


- Verify the domain’s DKIM key length and write them down if it’s using a 1024 or 2048 bit key length
In this example, selector 1 has a 1024-bit DKIM key.


Selector 2 has a 2048-bit DKIM key.


You want to have all DKIM keys set as 2048-bit keys. Let’s look at that in the next step.
Step 3. Upgrade DKIM to 2048-bit keys
To upgrade your DKIM keys to 2048-bit keys in Exchange Online (Microsoft 365), follow the steps below:
- Install Exchange Online PowerShell
- Connect to Exchange Online PowerShell
Connect-ExchangeOnline
- Find all the domains and their DKIM key size
Get-DkimSigningConfig | Format-Table Identity, Selector1KeySize, Selector2KeySize
The output appears.
exoip.com 1024 2048
exoip365.mail.onmicrosoft.com 2048 2048
exoip365.onmicrosoft.com 2048 2048
To get all the information for a single domain.
Get-DkimSigningConfig -Identity "exoip.com" | Format-List
To get all the information for all the domains.
Get-DkimSigningConfig | Format-List
- Upgrade DKIM key to 2048-bit for the domain
Note: Upgrading the key size to 2048 only upgrades the selector that isn’t currently active. After key rotation has taken place, you need to run the command again to upgrade the key size of the other selector. But that’s only possible after 4 days.
Rotate-DkimSigningConfig -Identity "exoip.com" -KeySize "2048"
- Verify that the 2048-bit key is set for the domain
Get-DkimSigningConfig -Identity "exoip.com" | Format-Table Identity, Selector1KeySize, Selector2KeySize
The output shows the 2048-bit key
Identity Selector1KeySize Selector2KeySize
-------- ---------------- ----------------
exoip.com 2048 2048
Rotate DKIM keys
We recommend rotating DKIM keys frequently. The DKIM rotation can be immediate, every couple of months, or once a year. It depends on each organization’s security policy and its risk. Read more in the article Rotate DKIM keys in Microsoft 365.
Conclusion
You learned how to upgrade DKIM 1024-bit keys to 2048-bit keys in Microsoft 365. Go through all the domains in Microsoft 365 and create a report of all their DKIM selector key size. Once done, upgrade all the keys to 2048-bit. Remember that you need to rotate the other selector key after 4 days have elapsed.
Did you enjoy this article? You may also like Protect domain from spam, phishers and viruses. Don’t forget to follow us and share this article.