How to Upgrade DKIM Encryption Keys to 2048-bit

Microsoft 365 automatically sets up DKIM for domains. No steps are needed to use DKIM for any initial domain names (like For more information about domains, see Domains FAQ.

Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell you how to upgrade your 1024-bit key to 2048 in Exchange Online PowerShell. The steps below are for two use-cases, please choose the one that best fits your configuration.

When you already have DKIM configured, you rotate bitness by running the following command:
Rotate-DkimSigningConfig -KeySize 2048 -Identity <Domain for which the configuration was set>
For a new implementation of DKIM, run the following command:
New-DkimSigningConfig -DomainName <Domain for which the configuration was set> -KeySize 2048 -Enabled $true

Stay connected to Exchange Online PowerShell to verify the configuration by running the following command:

Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | Format-List

Below, please see a sample

Upgrade KDIM key size to 248
Verify DKIM key size


This new 2048-bit key takes effect on the RotateOnDate, and will send emails with the 1024-bit key in the interim. After four days, you can test again with the 2048-bit key (that is, once the rotation takes effect to the second selector).

If you want to rotate to the second selector, after four days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above.

For detailed syntax and parameter information, see the following articles: Rotate-DkimSigningConfigNew-DkimSigningConfig, and Get-DkimSigningConfig.