A Powershell script to help you validate your DKIM config in Office 365

One of our support engineers (not me, so let’s give credit where credit is due) wrote a script to help you, as a customer of Office 365, validate for DKIM configuration once you have enabled it in the Admin Portal. We’ve added a few more checks to make it more clear, but you can also use this.

To verify your DKIM configuration:

1. Copy/paste the below script into a file, Validate-DkimConfig.ps1

2. Connect to Exchange Online using Powershell, making sure that the directory you are in is the same as where you saved the script above.

3. Type the following command in Powershell:

. .\Validate-DkimConfig.ps1.

4. To check the config for a single domain, run the following command:

Validate-DkimConfig <domain>

To show the full signing config, use the –showAll switch:

Validate-DkimConfig <domain> –showAll

To validate all domains for your organization, run the following command:


You will be able to see if anything is wrong because the output is color coded.

Update on May 12, 2016 - This script now lives on GitHub (instead of you having to copy/paste it here), and it fixes some key/dns missing errors https://github.com/carlnolan/scripting/blob/master/Validate-DkimConfig.ps1

Thanks to Carl Nolan for putting this up.

Comments (8)
  1. GarrinT says:

    Fantastic!  Thank you for sharing.

  2. Caio Ribeiro Cesar says:

    Nice… I will use this!! Thanks for sharing!

  3. Hi

    Any replacement for Resolve-DnsName for people not running Windows 8/2012 ?

  4. Harish says:

    I just tested its not resolving Validate-DkimConfig <domain> command.

    1. Pradeep says:

      • Small changes you need to make in the instructions as the article says that we need to run the script using \Validate-DkimConfig.ps1.
      • I just tried using the command : Import-Module .\Validate-DkimConfig.ps1 and then it worked as expected.

  5. Dima Razbornov says:


    Terry, +1 to Grzegorz Wierzbicki. On W7 machine i didn't have Resolve-DnsName unfortunately.

  6. Alan McFarlane says:

    Great stuff.

    Apparently $cname1Dns.NameHost can be null and the script fails!

    Config CNAME1 : selector1-XXXXXgolf-com._domainkey.XXXXX.onmicrosoft.com
    DNS CNAME1 :
    TXT Hostname : selector1._domainkey.XXXXXgolf.com
    You cannot call a method on a null-valued expression.
    At C:\Users\Alan\Documents\repos\lumait1-1\Scripts\Misc PS\Validate-DkimConfig.ps1:74 char:26
    + … match = if ($config.Selector1CNAME.Trim() -eq $cname1Dns.NameHost.Tri …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    Matched :

    The following statement fails; and the equivalent for $cname2Dns statement below.
    $match = if ($config.Selector1CNAME.Trim() -eq $cname1Dns.NameHost.Trim()) { $true } else { $false }

    It occurred on a domain where they have a wildcard DNS record at the root.

    So /one/ of these two logic changes required I guess; and again in the equivalent #2 statements. No warranties expressed or implied!!!
    @@ -67,10 +67,10 @@ function Validate-DkimConfigDomain
    Write-Host “Config CNAME1 : $($config.Selector1CNAME)”
    if (!$onmicrosoft) {
    – if ($cname1Dns) {
    + if ($cname1Dns -and $cname1Dns.NameHost) {
    – Write-Host “DNS CNAME1 : $($cname1Dns.NameHost)”
    + Write-Host “DNS CNAME1 : $($cname1Dns.NameHost)” ” [is null: ” ($cname1Dns.NameHost -eq $null) “]”
    Write-Host “TXT Hostname : $($cname1)”
    – $match = if ($config.Selector1CNAME.Trim() -eq $cname1Dns.NameHost.Trim()) { $true } else { $false }
    + $match = if ($cname1Dns.NameHost -and $config.Selector1CNAME.Trim() -eq $cname1Dns.NameHost.Trim()) { $true } else { $false }

  7. Carl Nolan says:

    An updated version of the script fixing some key/dns missing errors can be found at: https://github.com/carlnolan/scripting/blob/master/Validate-DkimConfig.ps1

Comments are closed.

Skip to main content