DKIM Key Rotation: Best Practices for 2025

Illustration of DKIM key rotation process showing old keys being replaced with new ones

DKIM key rotation is one of those security practices that's easy to overlook—until something goes wrong. Most organizations set up DKIM once and never touch it again. But cryptographic keys, like passwords, should be changed periodically to maintain security.

This guide explains why key rotation matters, when you should do it, and exactly how to rotate your DKIM keys without breaking email delivery.

Why Rotate DKIM Keys?

DKIM uses public-key cryptography to sign your emails. Your private key stays on your mail servers, while the public key is published in DNS. If your private key is ever compromised, attackers could sign emails that appear to legitimately come from your domain.

Key Reasons to Rotate

  • Security hygiene – Like changing passwords, rotating keys limits the window of exposure if a key is compromised
  • Compliance requirements – Some security frameworks (PCI-DSS, SOC 2) require periodic key rotation
  • Key size upgrades – Rotating lets you upgrade from 1024-bit to 2048-bit keys
  • Staff changes – When employees with key access leave the organization
  • Suspected compromise – If you have any reason to believe your key may have been exposed

What Happens if a DKIM Key is Compromised?

An attacker with your private key could:

  • Send emails that pass DKIM and DMARC checks
  • Impersonate your organization convincingly
  • Conduct phishing campaigns that appear legitimate
  • Damage your domain reputation

Regular rotation limits this risk by ensuring any compromised key has a limited useful lifetime.

How Often Should You Rotate DKIM Keys?

There's no universal standard, but here are common recommendations:

Organization Type Recommended Rotation Frequency
High-security environments (finance, healthcare) Every 3-6 months
Enterprise organizations Every 6-12 months
Small to medium businesses Annually
Minimum best practice At least every 2 years

Additional triggers for rotation:

  • Security incident or suspected compromise
  • Key administrator leaves the organization
  • Upgrading from 1024-bit to 2048-bit keys
  • Audit or compliance requirement

Step-by-Step DKIM Key Rotation Process

The key to smooth rotation is overlap—run both old and new keys simultaneously during the transition.

Step 1: Generate a New Key Pair

Create a new public/private key pair. Use 2048-bit RSA keys for current security standards.

If using OpenSSL:

# Generate private key
openssl genrsa -out new_dkim_private.pem 2048

# Extract public key
openssl rsa -in new_dkim_private.pem -pubout -out new_dkim_public.pem

Most email services generate keys automatically—check your provider's documentation.

Step 2: Choose a New Selector

Your new key needs a new selector. Include a date or version number to track rotation:

  • dkim-2025q1 (quarter-based)
  • key-jan2025 (month-based)
  • selector2 (version-based)

Step 3: Publish the New Key in DNS

Add a new TXT record with your new selector:

Record name: [new-selector]._domainkey.yourdomain.com

Record value: v=DKIM1; k=rsa; p=[your-public-key]

Wait for DNS propagation (typically 24-48 hours, though often faster).

Step 4: Verify the New Key is Published

Use a DKIM lookup tool to confirm your new key is accessible:

  • MxToolbox DKIM Lookup
  • dig TXT [selector]._domainkey.yourdomain.com
  • Your email provider's verification tool

Step 5: Configure Your Mail Server to Use the New Key

Update your mail server or email service to sign with the new key and selector. The exact process varies by platform:

Google Workspace: Generate new key in Admin Console > Apps > Google Workspace > Gmail > Authenticate email

Microsoft 365: Create new DKIM keys in Microsoft 365 Defender portal

Custom mail server: Update your DKIM signing configuration to use the new private key and selector

Step 6: Test the New Configuration

Send test emails and verify:

  • Emails are being signed with the new selector
  • DKIM verification passes
  • DMARC alignment still works

Check email headers for dkim=pass and confirm the selector matches your new one.

Step 7: Monitor for Issues

Keep both keys active and monitor for 48-72 hours:

  • Check DMARC reports for any DKIM failures
  • Monitor bounce rates for unusual spikes
  • Verify emails from all sending services are passing

Step 8: Remove the Old Key

After the transition period (minimum 48-72 hours, ideally 1-2 weeks):

  1. Verify no emails are still being signed with the old selector
  2. Remove the old DNS TXT record
  3. Archive the old private key securely (in case you need to verify old messages)

Key Rotation for Third-Party Services

If you use multiple email services (marketing platforms, transactional email, etc.), each may have its own DKIM key. Considerations:

Managed Services

Services like Mailchimp, SendGrid, and HubSpot typically manage their own keys. Check their documentation for rotation options—many handle this automatically.

Services Using Your Keys

If a service uses keys you generated, you'll need to coordinate rotation:

  1. Generate and publish the new key
  2. Update the service with the new private key
  3. Test thoroughly before removing the old key

Automating Key Rotation

For organizations that need frequent rotation, consider automation:

DNS API Integration

If your DNS provider offers an API (Cloudflare, Route 53, etc.), you can script key publication:

  1. Generate new key pair
  2. Publish new DNS record via API
  3. Wait for propagation
  4. Update mail server configuration
  5. Remove old DNS record after transition

Enterprise Solutions

Email security vendors often provide automated key rotation as part of their managed DKIM services. This can be especially valuable for organizations with:

  • Multiple domains
  • Complex email infrastructure
  • Strict compliance requirements

Common Key Rotation Mistakes

Removing the Old Key Too Soon

Some emails may be in transit or queued when you switch keys. Removing the old key immediately can cause DKIM failures for these messages. Always maintain overlap.

Not Testing Before Going Live

Always verify the new key is properly published and your mail server is signing correctly before relying on it for production email.

Forgetting Third-Party Senders

If you have multiple services sending email for your domain, ensure all are updated during rotation—or ensure each has independent keys that you rotate on their own schedules.

Not Updating Documentation

Keep records of:

  • When keys were last rotated
  • Which selector is currently active
  • Where private keys are stored
  • Who has access to manage keys

Key Rotation Checklist

Use this checklist for each rotation:

  • ☐ Generate new 2048-bit key pair
  • ☐ Choose new selector with date/version
  • ☐ Publish new key in DNS
  • ☐ Verify new key is accessible via DNS lookup
  • ☐ Update mail server to use new key
  • ☐ Send test emails and verify DKIM passes
  • ☐ Check DMARC alignment still works
  • ☐ Monitor for 48-72 hours minimum
  • ☐ Remove old DNS record
  • ☐ Archive old private key
  • ☐ Update documentation
  • ☐ Schedule next rotation

Related Resources

0 comments

Leave a comment

Please note, comments need to be approved before they are published.