How to Manually Upgrade Your 1024-bit Keys to 2048-bit DKIM Encryption Keys

Note: Microsoft 365 automatically sets up DKIM for onmicrosoft.com domains. If you use a Microsoft domain, nothing else is needed to enable DKIM for any initial domain names (e.g., litware.onmicrosoft.com).

Since both 1024 and 2048 bitness are supported for DKIM keys, the following instructions tell you how to upgrade your 1024-bit key to 2048 in Exchange Online PowerShell. The steps below are for two use-cases, so please choose the one that best fits your current configuration.

1. When you already have DKIM configured, you rotate bitness by running the following command in Powershell:

Rotate-DkimSigningConfig -KeySize 2048 -Identity {Guid of the existing Signing Config}

2. For a new implementation of DKIM, run the following command in Powershell:

New-DkimSigningConfig -DomainName <Domain for which config is to be created> -KeySize 2048 -Enabled $true

Stay connected to Exchange Online PowerShell to verify the configuration by running the following command:

Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | Format-List

Note: This new 2048-bit key takes effect on the RotateOnDate and will send emails with the 1024-bit key in the meantime. After four days, you can retest with the 2048-bit key (after the rotation takes effect to the second selector).

If you want to rotate to the second selector, you have the following options:

1. Let the Microsoft 365 service rotate the selector and upgrade to 2048-bitness within the next six months.

2. After four days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above.

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com