Description
Test-MtCisDkim and Test-MtCisaDkim throw an unhandled error when an accepted domain
(typically *.onmicrosoft.com) has no corresponding DkimSigningConfig entry. The error
is caught by the function's catch block, which returns $null and reports the test as
Ignored with no useful diagnostic information.
Steps to reproduce
- Ensure your tenant has a
.onmicrosoft.com accepted domain where Get-DkimSigningConfig
does not return an entry (this is the default per
Microsoft documentation)
- Run
Test-MtCisDkim or Test-MtCisaDkim
Expected behavior
The test should either:
- Report a failure for the domain with a clear message ("No DkimSigningConfig found for
{domain}"), or
- Skip the domain with a reason explaining that Microsoft auto-signs DKIM for
.onmicrosoft.com domains even without an explicit config
Actual behavior
Get-MailAuthenticationRecord: Cannot bind argument to parameter 'DkimDnsName' because it
is an empty string.
The catch block fires, Add-MtTestResultDetail -SkippedBecause Error is called, and the
function returns $null. The Pester test result is Ignored with no indication of the
underlying cause.
Root cause
In Test-MtCisDkim.ps1 (line 41) and Test-MtCisaDkim.ps1 (line 40), when no
DkimSigningConfig matches the domain, $dkimSigningConfig is $null. The code then:
- Accesses
$dkimSigningConfig.RotateOnDate (null, date comparison falls through)
- Sets
$Selector to $dkimSigningConfig.SelectorBeforeRotateOnDate (null/empty)
- For
.onmicrosoft.com domains, evaluates $dkimSigningConfig."$($selector)CNAME" to
empty string
- Calls
Get-MailAuthenticationRecord -DkimDnsName '' which throws
Suggested fix
Add a null-check on $dkimSigningConfig at the start of the foreach loop body. If no
config exists, either fail the domain with a descriptive message or skip it with a reason.
Environment
- Maester 2.1.0
- ExchangeOnlineManagement 3.9.2
- PowerShell 7.4
- Microsoft 365 Business Basic
- Tenant has two accepted domains:
contoso.com (DKIM config exists) and
contoso.onmicrosoft.com (no DKIM config, which is the Microsoft default)
Workaround
Run New-DkimSigningConfig -DomainName '<tenant>.onmicrosoft.com' -Enabled $true to
explicitly create the DKIM signing config for the .onmicrosoft.com domain. This resolves
the null-reference because the config now exists in Get-DkimSigningConfig output.
Description
Test-MtCisDkimandTest-MtCisaDkimthrow an unhandled error when an accepted domain(typically
*.onmicrosoft.com) has no correspondingDkimSigningConfigentry. The erroris caught by the function's
catchblock, which returns$nulland reports the test asIgnoredwith no useful diagnostic information.Steps to reproduce
.onmicrosoft.comaccepted domain whereGet-DkimSigningConfigdoes not return an entry (this is the default per
Microsoft documentation)
Test-MtCisDkimorTest-MtCisaDkimExpected behavior
The test should either:
{domain}"), or
.onmicrosoft.comdomains even without an explicit configActual behavior
The
catchblock fires,Add-MtTestResultDetail -SkippedBecause Erroris called, and thefunction returns
$null. The Pester test result isIgnoredwith no indication of theunderlying cause.
Root cause
In
Test-MtCisDkim.ps1(line 41) andTest-MtCisaDkim.ps1(line 40), when noDkimSigningConfigmatches the domain,$dkimSigningConfigis$null. The code then:$dkimSigningConfig.RotateOnDate(null, date comparison falls through)$Selectorto$dkimSigningConfig.SelectorBeforeRotateOnDate(null/empty).onmicrosoft.comdomains, evaluates$dkimSigningConfig."$($selector)CNAME"toempty string
Get-MailAuthenticationRecord -DkimDnsName ''which throwsSuggested fix
Add a null-check on
$dkimSigningConfigat the start of theforeachloop body. If noconfig exists, either fail the domain with a descriptive message or skip it with a reason.
Environment
contoso.com(DKIM config exists) andcontoso.onmicrosoft.com(no DKIM config, which is the Microsoft default)Workaround
Run
New-DkimSigningConfig -DomainName '<tenant>.onmicrosoft.com' -Enabled $truetoexplicitly create the DKIM signing config for the
.onmicrosoft.comdomain. This resolvesthe null-reference because the config now exists in
Get-DkimSigningConfigoutput.