We noticed this symptom too, on several domains. We were going through the process recently to enable DKIM on our Outlook365 domains, and noticed many were fine, but about a third were missing selector2, and a handful were missing both selector2 and selector1.
So, using an example to illustrate, we have a CNAME in place for selector1._domainkey.ExampleDomain.tld & selector2._domainkey.ExampleDomain.tld, which point to selector1-ExampleDomain-tld._domainkey.ExampleDomain.onmicrosoft.com & selector1-ExampleDomain-tld._domainkey.ExampleDomain.onmicrosoft.com. (The exact selector record has to be pulled from your Microsoft365 Admin portal, but you get the idea.) Our CNAMEs were functioning and correct, but one or both of those
OnMicrosoft.com records were missing.
We opened a case with Microsoft Unified Support for Exchange Online. They suggested:
Rotate is only available on the admin page when DKIM is enabled on your domain; it didn’t sound like there was a PowerShell command to do it (that they shared.)
We did not end up needing to change our CNAME, but the selectors changed. I used AppMailDev to test when done: https://www.appmaildev.com/en/dkim
It looks like that did the trick for me.
One more note: if you don’t DKIM enable this with your domain, it does not mean Exchange Online isn’t DKIM signed. Microsoft will DKIM sign outbound email from Exchange Online, but they do it using their own
onmicrosoft.com selector. When analyzing your domain through dmarcian, you will see “Microsoft Office 365” as “DKIM 0%”. This is true, since DKIM isn’t aligned with your domain, but with
onmicrosoft.com. However, the emails will still be signed if you inspect the headers. So when verifying, pay special attention to the d= field in the DKIM-signature header.
Cheers, and I hope this helps.