skip to Main Content

DKIM selector2 not working for Microsoft 365 domain

We did add a domain to the Microsoft 365 tenant and enabled DKIM for that specific domain. While checking the DKIM records (selector1 and selector2), the result shows that no DKIM record found for the selector2 record. Why is the DKIM selector2 not working? In this article, you will learn how to fix no DKIM record found for selector2.

No DKIM record found for selector2

We did add a domain to the Microsoft 365 admin portal and configured DKIM for that domain.

Let’s check both the DKIM selector records with MxToolbox:

  • Selector1 record
  • Selector2 record

DKIM selector1 record

The DKIM selector1 in DNS shows that the record is published.

No DKIM record found for selector2 check selector1

DKIM selector2 record

The DKIM selector2 in DNS shows No DKIM Record found.

No DKIM record found for selector2 check selector2

Solution to no DKIM record found for selector2

The solution for No DKIM record found for selector2 is to rotate the domain’s DKIM keys:

  1. Go to the Microsoft 365 DKIM page
  2. Select the domain in the list
  3. Click on Rotate DKIM keys
No DKIM record found for selector2 rotate DKIM keys
  1. Verify that the status shows Rotating keys for this domain and signing DKIM signatures
No DKIM record found for selector2 rotate keys

In the next step, we will check that the DKIM selector2 record is found, valid, and that the public key is present.

Verify DKIM selector2 record works

Go to MxToolbox and verify the DKIM selector2 record. The DKIM record is available and shown.

No DKIM record found for selector2 verify

Everything looks great!

Read more: Protect domain from spam, phishers and viruses »

Conclusion

You learned how to fix no DKIM record found for selector2. The solution is to rotate the DKIM keys for the domain in Microsoft 365 portal. Then, give it a few minutes and verify that the selector2 record is found and published.

Did you enjoy this article? You may also like How to configure enhanced filtering for connectors (skip listing). Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 5 Comments

  1. Hello,
    thanks for the article.
    I added the DNS zones but there is only one selector that appears. Selector 2 does not appear.
    When I want to activate “sign messages for this domain with DKIM signatures” I get a client error saying that the CNAMES records are missing.
    As long as the option is not activated, I cannot perform a key rotation.
    Do you have an idea? I have already recreated the CNAME several times at our host.

    Thanks for your help.

      1. Thanks for the feedback,
        I have already configured and checked the CNAME at the hosting company about 10 times.
        I only have the selector1 that appears. I think there must be a problem on the Microsoft side. Some people have already encountered the problem on the net.
        If someone has a solution or a workaround before opening a support ticket at Microsoft I would be delighted!

    1. Yes, DKIM authentication will fail for outgoing mail.

      It can negatively impact deliverability, as mailbox providers may send the message to the spam folder or block it entirely.

      When the email hits the receiving server, the server looks at the email headers to find the “s=selector2” tag. If the tag is present, the server extracts the selector from the tag, then looks up the DNS for the public key at the following location:

      selector2._domainkey.yourdomain.com

      If the public key is found, the server uses it to decrypt the message to check its integrity. If the check passes, DKIM authentication succeeds; otherwise, it fails.

Leave a Reply

Your email address will not be published. Required fields are marked *