Set up the required selector DNS records in order to support DKIM

[rambo11994]

The above gives me "not recommended" against several of my domains despite DNS records being in place for them.

[rambo11994]

Just to add to this. I have used this powershell cmdlet Get-DkimSigningConfig -Identity domainamehere | Fl and the domains that are on the report that have "Not Recommended" against them are all OK and show as having selector1 and 2 CNAMES present..

[jonade]

CNAMES can be present, but if in the DkimSigningConfig it's not set to Enabled = True then EXO won't apply the DKIM signing to the emails

[rambo11994]

Hi @jonade,

in DkimSigningConfig the domains are enabled and have valid CNAME records enabled.
Microsoft's very own troubleshooting tool confirms that DKIM has in fact been set up for the domains
But they still show as "not recommended"

[cammurray]

@rambo11994, do you happen to use a split-DNS configuration by any chance? E.g do your domains resolve differently internally & externally? If so, you'll need to specify the -AlternateDNS command when running the report, or alternatively, run the ORCA report from external to your network.

ORCA has DNS checks within it that look for the presence of these records, as if we were a receiver of mail. If we cannot resolve them like a receiver would, then these checks won't work.