All case studies
Email deliverability Financial services firm, NSW 20 November 2025
A financial services firm migrated from Microsoft 365 E3 to Business Premium licences. Email appeared to function normally. Three weeks later, DMARC aggregate reports showed DKIM alignment had dropped to zero — meaning every outbound message was failing authentication silently.
Microsoft 365 DKIM failures after a licence change don't generate error logs or bounce messages. The only signal is in DMARC aggregate reports — and most organisations aren't reading them.
Silent DKIM failure after M365 licence change
The licence migration had triggered a tenant reconfiguration that disabled custom DKIM signing for the client's domain. Microsoft's automatic DKIM key rotation had also failed as part of the reconfiguration. The firm's email was delivering — because most providers don't reject on DKIM failure alone — but was completely unprotected and failing DMARC alignment. This had been the case for three weeks before the DMARC reports were reviewed.
DKIM regeneration and monitoring setup
- Audited DMARC aggregate reports to establish the timeline and scope of the failure
- Confirmed DKIM signing was disabled in Exchange Admin Center for the affected domain
- Regenerated the DKIM key pair and published new CNAME records to DNS
- Re-enabled DKIM signing in Exchange Admin Center
- Verified DKIM alignment in test messages before closing the incident
- Added DKIM signing status to the ongoing monitoring stack
DKIM alignment restored, monitoring active
- DKIM alignment restored from 0% to 100% within 24 hours of DNS propagation
- DMARC aggregate reports now reviewed as part of monthly monitoring cycle
- Alerting added for DKIM signing status — future reconfigurations will be detected within hours
DMARC aggregate reports are the only reliable signal for this class of failure. If you're not reading them, you won't know until a recipient's mail filter gets stricter.
Got a problem most engineers have walked away from?
Talk to an engineer