DKIM configuration fails with ‘object couldn’t be found’

In this article I shou you, how to solve this error:

The operation couldn't be performed because object 'MyDomain' couldn't be found on 'DB7P281A04DC002.DEUP281A004.PROD.OUTLOOK.COM'.

This error may happen when you try to configure DKIM for a custom domain in Microsoft 365. When you have a look at PowerShell or the admin center ( DomainKeys Identified Mail (DKIM) – Security & Compliance (office.com) ) you will see that nothing is configured:

Now there are some (generally good) articles on docs.microsoft.com that instruct how to configure DKIM: How to use DKIM for email in your custom domain – Office 365 | Microsoft Docs

Bad about that is, that if you jump to the chapter “configure DKIM for more than one custom domain” (like I did accidentially today) you miss the important step to create a new DKIM signature. Missing that ends up in an error message like that:

The operation couldn't be performed because object 'MyDomain' couldn't be found on 'DB7P281A04DC002.DEUP281A004.PROD.OUTLOOK.COM'.
     + CategoryInfo          : NotSpecified: (:) [Set-DkimSigningConfig], ManagementObjectNotFoundException
     + FullyQualifiedErrorId : [Server=FR0P281MB0560,RequestId=3e731813-405c-452f-a32c-869c465b9fd8,TimeStamp=4/6/2021 9:41:15 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 6DE53B5,Microsoft.Exchange.Management.SystemConfigurationTasks.SetDkimSigningConfig
     + PSComputerName        : outlook.office365.com

So follow these steps and DKIM correctly from the beginning and the configuration will be successful:

The admin center immediately reflects the change:

Now I continue the configuration with PowerShell and finalize it:

This returns you some DNS entries that you have to set to complete your DKIM registration. Your task is now to register these CNAME records. The tricky part is now to build the DNS entries correctly. To build these, you need to know your domainGUID and your onmicrosoft.com domain.

You can extract your domainGUID from your MX record (if it points to Exchange Online) or look it up in the DNS panel in the domains section of Microsoft 365:

nslookup
set type=mx
YOURDOMAIN.COMCode language: Bash (bash)

The commands above will give you the MX record for your domain. If your domain is contoso.com, it will look like that:

contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.comCode language: Bash (bash)

With that you can build your 2 CNAME records:

Now is the time for what you love most in IT – wait.. ususally it is around 10 minutes. After that time, you can switch DKIM to activated (by toggling the switch in the admin center on or via PowerShell):

No error is always good in PowerShell. So the last part is now to check if the configuration really works. The easiest way is using another Exchange Online account or outlook.com or hotmail. Send an email to that account and have a look at the header. It must contain an entry that looks like this:

From: Example User <>
  DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
      s=selector1; d=contoso.com; t=1429912795;
      h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
      bh=<body hash>;
      b=<signed field>;Code language: HTML, XML (xml)

This example is taken from Microsoft Docs. There is an additional header that is named Authentication-Results. This contains a vaule like DKIM=pass or DKIM=ok.

All of the above needs to be done for each domain (and don’t forget to start with New-DkimSigningConfig instead of Set-DkimSigningConfig 🙂 ). DKIM will then add additional security and verify that your domain is valid and not for spam or phishing purposes. My tests have shown that the SCL changes from 9 to 5 or lower.