DKIM Key Rotation: Why, When, and How to Rotate Your DKIM Keys

Learn why DKIM key rotation matters, how often to rotate keys, and step-by-step instructions for rotating DKIM keys without breaking email authentication.

Email Authentication

DKIM keys don't expire automatically, but they should be rotated periodically. A compromised or aging DKIM key can be used by attackers to sign fraudulent emails that pass authentication — defeating the purpose of DKIM entirely.

Here's when and how to rotate DKIM keys without breaking your email authentication.

Why Rotate DKIM Keys?

Security

DKIM keys are cryptographic key pairs. Over time:

  • The risk of key compromise increases
  • Longer-deployed keys have more exposure to potential attacks
  • Shorter keys (1,024-bit) become weaker as computing power increases

Best Practice Compliance

Security frameworks and email best practices recommend periodic rotation:

  • NIST recommends rotating cryptographic keys regularly
  • Some enterprise security audits require documented key rotation schedules
  • Google recommends rotating DKIM keys at least every 12 months

Key Length Upgrades

If you're still using 1,024-bit DKIM keys, rotation is an opportunity to upgrade to 2,048-bit keys, which provide significantly stronger security.

How Often to Rotate

Key LengthRecommended RotationMaximum
2,048-bitEvery 12 monthsEvery 24 months
1,024-bitUpgrade to 2,048-bit nowEvery 6 months if you must stay at 1,024

For most organizations, annual rotation is sufficient. High-security environments may rotate quarterly.

How to Rotate DKIM Keys

The key principle: overlap. Both old and new keys must be active simultaneously during the transition to avoid authentication failures for emails in transit.

1

Generate a new key pair

In your ESP or mail server, generate a new DKIM key pair with a new selector. For example, if your current selector is s1, use s2 for the new key.

2

Add the new public key to DNS

Add a TXT record at s2._domainkey.yourdomain.com with the new public key. Don't remove the old key yet.

3

Wait for DNS propagation

Allow at least 48 hours for the new DNS record to propagate globally. Some resolvers cache aggressively.

4

Switch signing to the new key

Configure your ESP or mail server to sign emails with the new key (selector s2). The old key remains in DNS.

5

Verify the new key works

Send test emails and check headers for DKIM: PASS with the new selector. Check your domain for any DKIM issues.

6

Remove the old key after overlap period

After 7–14 days (to allow all in-transit emails to be delivered and verified), remove the old DNS record at s1._domainkey.yourdomain.com.

The Overlap Period

The overlap between steps 4 and 6 is critical. During this window:

  • New emails are signed with the new key
  • Emails that were sent before the switch but haven't been delivered yet can still verify against the old key
  • Both keys are valid in DNS simultaneously

Removing the old key too early causes DKIM failures for delayed or queued emails.

Monitor your DKIM configuration

Get alerts when DKIM records change or authentication fails. Don't let a key rotation issue silently break your email.

ESP-Managed Key Rotation

Many ESPs handle key rotation internally:

ESPKey Rotation
Google WorkspaceManual rotation via admin console. Update DNS after generating new key.
Microsoft 365Supports manual rotation through Exchange admin center.
SendGridKeys managed through domain authentication. Re-authenticate to rotate.
MailchimpKeys managed by Mailchimp. Contact support for rotation.

If your ESP auto-rotates keys, they should notify you to update DNS records. If they don't notify you, the new key won't validate — this is a common cause of sudden DKIM failures.

Common Rotation Mistakes

Removing the Old Key Too Early

If you remove the old DNS record before switching the signing key (or immediately after), emails signed with the old key that are still in transit will fail DKIM.

Not Updating DNS

Your ESP generates a new key but you forget to add the new public key to DNS. All emails signed with the new key fail DKIM.

Selector Confusion

Using the same selector for the new key as the old one can cause caching issues. DNS resolvers may serve the cached old key value even after you've updated it. Using a new selector avoids this.

Not Testing After Rotation

After any key rotation, send test emails and verify DKIM passes. Don't assume the rotation worked — confirm it.

Automated Key Rotation

For organizations that want to automate rotation:

  • Some DNS providers support API-based record management, enabling automated DKIM record updates
  • DKIM key management services can automate the generation, publishing, and cleanup cycle
  • If using infrastructure-as-code (Terraform, CloudFormation), include DKIM records in your configuration and rotate through version control