DKIM key rotation is one of those security practices that's easy to overlook—until something goes wrong. Most organizations set up DKIM once and never touch it again. But cryptographic keys, like passwords, should be changed periodically to maintain security.
This guide explains why key rotation matters, when you should do it, and exactly how to rotate your DKIM keys without breaking email delivery.
Why Rotate DKIM Keys?
DKIM uses public-key cryptography to sign your emails. Your private key stays on your mail servers, while the public key is published in DNS. If your private key is ever compromised, attackers could sign emails that appear to legitimately come from your domain.
Key Reasons to Rotate
- Security hygiene – Like changing passwords, rotating keys limits the window of exposure if a key is compromised
- Compliance requirements – Some security frameworks (PCI-DSS, SOC 2) require periodic key rotation
- Key size upgrades – Rotating lets you upgrade from 1024-bit to 2048-bit keys
- Staff changes – When employees with key access leave the organization
- Suspected compromise – If you have any reason to believe your key may have been exposed
What Happens if a DKIM Key is Compromised?
An attacker with your private key could:
- Send emails that pass DKIM and DMARC checks
- Impersonate your organization convincingly
- Conduct phishing campaigns that appear legitimate
- Damage your domain reputation
Regular rotation limits this risk by ensuring any compromised key has a limited useful lifetime.
How Often Should You Rotate DKIM Keys?
There's no universal standard, but here are common recommendations:
| Organization Type | Recommended Rotation Frequency |
|---|---|
| High-security environments (finance, healthcare) | Every 3-6 months |
| Enterprise organizations | Every 6-12 months |
| Small to medium businesses | Annually |
| Minimum best practice | At least every 2 years |
Additional triggers for rotation:
- Security incident or suspected compromise
- Key administrator leaves the organization
- Upgrading from 1024-bit to 2048-bit keys
- Audit or compliance requirement
Step-by-Step DKIM Key Rotation Process
The key to smooth rotation is overlap—run both old and new keys simultaneously during the transition.
Step 1: Generate a New Key Pair
Create a new public/private key pair. Use 2048-bit RSA keys for current security standards.
If using OpenSSL:
# Generate private key
openssl genrsa -out new_dkim_private.pem 2048
# Extract public key
openssl rsa -in new_dkim_private.pem -pubout -out new_dkim_public.pem
Most email services generate keys automatically—check your provider's documentation.
Step 2: Choose a New Selector
Your new key needs a new selector. Include a date or version number to track rotation:
-
dkim-2025q1(quarter-based) -
key-jan2025(month-based) -
selector2(version-based)
Step 3: Publish the New Key in DNS
Add a new TXT record with your new selector:
Record name: [new-selector]._domainkey.yourdomain.com
Record value: v=DKIM1; k=rsa; p=[your-public-key]
Wait for DNS propagation (typically 24-48 hours, though often faster).
Step 4: Verify the New Key is Published
Use a DKIM lookup tool to confirm your new key is accessible:
- MxToolbox DKIM Lookup
dig TXT [selector]._domainkey.yourdomain.com- Your email provider's verification tool
Step 5: Configure Your Mail Server to Use the New Key
Update your mail server or email service to sign with the new key and selector. The exact process varies by platform:
Google Workspace: Generate new key in Admin Console > Apps > Google Workspace > Gmail > Authenticate email
Microsoft 365: Create new DKIM keys in Microsoft 365 Defender portal
Custom mail server: Update your DKIM signing configuration to use the new private key and selector
Step 6: Test the New Configuration
Send test emails and verify:
- Emails are being signed with the new selector
- DKIM verification passes
- DMARC alignment still works
Check email headers for dkim=pass and confirm the selector matches your new one.
Step 7: Monitor for Issues
Keep both keys active and monitor for 48-72 hours:
- Check DMARC reports for any DKIM failures
- Monitor bounce rates for unusual spikes
- Verify emails from all sending services are passing
Step 8: Remove the Old Key
After the transition period (minimum 48-72 hours, ideally 1-2 weeks):
- Verify no emails are still being signed with the old selector
- Remove the old DNS TXT record
- Archive the old private key securely (in case you need to verify old messages)
Key Rotation for Third-Party Services
If you use multiple email services (marketing platforms, transactional email, etc.), each may have its own DKIM key. Considerations:
Managed Services
Services like Mailchimp, SendGrid, and HubSpot typically manage their own keys. Check their documentation for rotation options—many handle this automatically.
Services Using Your Keys
If a service uses keys you generated, you'll need to coordinate rotation:
- Generate and publish the new key
- Update the service with the new private key
- Test thoroughly before removing the old key
Automating Key Rotation
For organizations that need frequent rotation, consider automation:
DNS API Integration
If your DNS provider offers an API (Cloudflare, Route 53, etc.), you can script key publication:
- Generate new key pair
- Publish new DNS record via API
- Wait for propagation
- Update mail server configuration
- Remove old DNS record after transition
Enterprise Solutions
Email security vendors often provide automated key rotation as part of their managed DKIM services. This can be especially valuable for organizations with:
- Multiple domains
- Complex email infrastructure
- Strict compliance requirements
Common Key Rotation Mistakes
Removing the Old Key Too Soon
Some emails may be in transit or queued when you switch keys. Removing the old key immediately can cause DKIM failures for these messages. Always maintain overlap.
Not Testing Before Going Live
Always verify the new key is properly published and your mail server is signing correctly before relying on it for production email.
Forgetting Third-Party Senders
If you have multiple services sending email for your domain, ensure all are updated during rotation—or ensure each has independent keys that you rotate on their own schedules.
Not Updating Documentation
Keep records of:
- When keys were last rotated
- Which selector is currently active
- Where private keys are stored
- Who has access to manage keys
Key Rotation Checklist
Use this checklist for each rotation:
- ☐ Generate new 2048-bit key pair
- ☐ Choose new selector with date/version
- ☐ Publish new key in DNS
- ☐ Verify new key is accessible via DNS lookup
- ☐ Update mail server to use new key
- ☐ Send test emails and verify DKIM passes
- ☐ Check DMARC alignment still works
- ☐ Monitor for 48-72 hours minimum
- ☐ Remove old DNS record
- ☐ Archive old private key
- ☐ Update documentation
- ☐ Schedule next rotation
0 comments