Sendmarc Microsoft 365 DKIM Key Rotator PowerShell Script

PowerShell Script to manually rotate the DKIM keys of the selected domain in MS365

!Important!

Sendmarc provides no support for PowerShell scripts and these are executed at your own risk.

Sendmarc takes no responsibility for any issues that this script might cause.

Please read through the code before executing the script

Please copy the contents of this script below into a TXT file and rename the file as "Sendmarc Sendmarc Microsoft 365 DKIM Key Rotator.ps1"

Should the script successfully execute, a log file will be created at C:\Sendmarc\nameofscript.txt

Please review this article on how to execute a PowerShell Script:

How To Run PowerShell Scripts

Script Objective

The objective of this script is to allow you to rotate the DKIM selectors of an MS365 domain that you specify.

The script will automatically prompt you for input upon execution to select a domain, the selected domain will have its DKIM keys rotated.

If you would like to rotate multiple domains' DKIM keys, please run the script again, selecting a different domain.

The script will query you to login into MS365, please ensure the account you are logging in with has access to security.microsoft.com

Script Contents

#SENDMARC DKIM KEY ROTATER
#Author: Brian Goosen - brian@sendmarc.com
#Usage of this Script is at your own risk.
#COPYRIGHT SENDMARC
#V1.1

#CHANGE LOG
#Added DKIM outputs for selected domain only instead of all domains in tenant.

$hostGui = $Host.UI.RawUI
$HostGui.WindowTitle = "Sendmarc MS365 DKIM Key ROTATER V1.1"
$HostGui.ForegroundColor = "White"

# Check if the script is running with administrative privileges
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

# If not running as admin, relaunch the script with elevated permissions
if (-not $isAdmin) {
    Write-Host "This script requires administrative privileges. Please run the script as an administrator." -ForegroundColor Cyan
    
    # Relaunch the script with elevated permissions
    Start-Process powershell.exe -Verb RunAs -ArgumentList "-File $($MyInvocation.MyCommand.Path)"
}

# Generate a timestamp for the log file name
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
# Create a log file path
$logFilePath = "C:\Sendmarc\Sendmarc_DKIM_Key_Rotater_$timestamp.txt"
# Start logging
Start-Transcript -Path $logFilePath

Write-Host "==================================================" -ForegroundColor Green
Write-Host "SENDMARC MS365 DKIM KEY ROTATER" -ForegroundColor Green
Write-Host "Author: Brian Goosen" -ForegroundColor Green
Write-Host "Email: Brian@sendmarc.com" -ForegroundColor Green
Write-Host "COPYRIGHT SENDMARC" -ForegroundColor Green
Write-Host "==================================================" -ForegroundColor Green
Write-Host "" -ForegroundColor Cyan

#Confirm Application Launch
$title = 'Launch Sendmarc DKIM Key Rotater'
$question = 'Do you want to continue?'
$choices = '&Yes', '&No'

$decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
if ($decision -eq 0) {
    
}
else {
    Write-Host "Script Aborted" -ForegroundColor Red
    Exit
}

function ConnecttoMS365 {
    Write-Host "Checking if ExchangeOnlineManagement is installed" -ForegroundColor Cyan
    if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
        Write-Host "Installing ExchangeOnlineManagement Powershell Module" -ForegroundColor Cyan
        Install-Module -Name ExchangeOnlineManagement -Force -Scope CurrentUser
    }
    else {
        Write-Host "ExchangeOnlineManagement is installed" -ForegroundColor Cyan
    }

    Write-Host "Importing ExchangeOnlineManagment" -ForegroundColor Cyan
    Import-Module ExchangeOnlineManagement
    Write-Host "Connecting to MS365" -ForegroundColor Cyan
    Write-Host "Please Log into MS365" -ForegroundColor Cyan
    Connect-ExchangeOnline
    Write-Host "Connected to MS365" -ForegroundColor Cyan
}

function RotateDKIMKey {
    $domain = Read-Host "Enter Domain Name"
    Write-Host "Displaying Current Active DKIM Keys for $domain"
    Get-DkimSigningConfig -Identity $domain | Format-List Name, Enabled, Status, Selector1CNAME, Selector1KeySize, Selector2CNAME, Selector2KeySize, KeyCreationTime, RotateOnDate, SelectorBeforeRotateOnDate, SelectorAfterRotateOnDate

    #Confirm Key Rotation
    $title = 'Rotate Current DKIM Keys?'
    $question = 'Do you want to continue?'
    $choices = '&Yes', '&No'
    $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
    if ($decision -eq 0) {
        Write-Host "Rotating Keys"
        Rotate-DkimSigningConfig -Identity $domain -KeySize 2048
        Write-Host "Displaying Rotated Active DKIM Keys for $domain"
        Get-DkimSigningConfig -Identity $domain | Format-List Name, Enabled, Status, Selector1CNAME, Selector1KeySize, Selector2CNAME, Selector2KeySize, KeyCreationTime, RotateOnDate, SelectorBeforeRotateOnDate, SelectorAfterRotateOnDate
    }
    else {
        Write-Host "Script Aborted" -ForegroundColor Red
        return
    }
}


ConnecttoMS365
RotateDKIMKey



Write-Host ""
Write-Host "==================================================" -ForegroundColor Cyan
Write-Host "Thank you for choosing Sendmarc!" -ForegroundColor Cyan
Write-Host "==================================================" -ForegroundColor Cyan

# Stop logging
Stop-Transcript
# Display the path of the log file
Write-Host "Log file created: $logFilePath"
Write-Host "Press Enter to Close This Program" -ForegroundColor Cyan
Read-Host "..."

Need Help?

Sendmarc does not provide any support for PowerShell scripts and are run at your own risk.