DKIM Key Rotation: Why, When, and How to Rotate Your DKIM Keys
Learn why DKIM key rotation matters, how often to rotate keys, and step-by-step instructions for rotating DKIM keys without breaking email authentication.
DKIM keys don't expire automatically, but they should be rotated periodically. A compromised or aging DKIM key can be used by attackers to sign fraudulent emails that pass authentication — defeating the purpose of DKIM entirely.
Here's when and how to rotate DKIM keys without breaking your email authentication.
Why Rotate DKIM Keys?
Security
DKIM keys are cryptographic key pairs. Over time:
- The risk of key compromise increases
- Longer-deployed keys have more exposure to potential attacks
- Shorter keys (1,024-bit) become weaker as computing power increases
Best Practice Compliance
Security frameworks and email best practices recommend periodic rotation:
- NIST recommends rotating cryptographic keys regularly
- Some enterprise security audits require documented key rotation schedules
- Google recommends rotating DKIM keys at least every 12 months
Key Length Upgrades
If you're still using 1,024-bit DKIM keys, rotation is an opportunity to upgrade to 2,048-bit keys, which provide significantly stronger security.
How Often to Rotate
| Key Length | Recommended Rotation | Maximum |
|---|---|---|
| 2,048-bit | Every 12 months | Every 24 months |
| 1,024-bit | Upgrade to 2,048-bit now | Every 6 months if you must stay at 1,024 |
For most organizations, annual rotation is sufficient. High-security environments may rotate quarterly.
How to Rotate DKIM Keys
The key principle: overlap. Both old and new keys must be active simultaneously during the transition to avoid authentication failures for emails in transit.
Generate a new key pair
In your ESP or mail server, generate a new DKIM key pair with a new selector. For example, if your current selector is s1, use s2 for the new key.
Add the new public key to DNS
Add a TXT record at s2._domainkey.yourdomain.com with the new public key. Don't remove the old key yet.
Wait for DNS propagation
Allow at least 48 hours for the new DNS record to propagate globally. Some resolvers cache aggressively.
Switch signing to the new key
Configure your ESP or mail server to sign emails with the new key (selector s2). The old key remains in DNS.
Verify the new key works
Send test emails and check headers for DKIM: PASS with the new selector. Check your domain for any DKIM issues.
Remove the old key after overlap period
After 7–14 days (to allow all in-transit emails to be delivered and verified), remove the old DNS record at s1._domainkey.yourdomain.com.
The Overlap Period
The overlap between steps 4 and 6 is critical. During this window:
- New emails are signed with the new key
- Emails that were sent before the switch but haven't been delivered yet can still verify against the old key
- Both keys are valid in DNS simultaneously
Removing the old key too early causes DKIM failures for delayed or queued emails.
Monitor your DKIM configuration
Get alerts when DKIM records change or authentication fails. Don't let a key rotation issue silently break your email.
ESP-Managed Key Rotation
Many ESPs handle key rotation internally:
| ESP | Key Rotation |
|---|---|
| Google Workspace | Manual rotation via admin console. Update DNS after generating new key. |
| Microsoft 365 | Supports manual rotation through Exchange admin center. |
| SendGrid | Keys managed through domain authentication. Re-authenticate to rotate. |
| Mailchimp | Keys managed by Mailchimp. Contact support for rotation. |
If your ESP auto-rotates keys, they should notify you to update DNS records. If they don't notify you, the new key won't validate — this is a common cause of sudden DKIM failures.
Common Rotation Mistakes
Removing the Old Key Too Early
If you remove the old DNS record before switching the signing key (or immediately after), emails signed with the old key that are still in transit will fail DKIM.
Not Updating DNS
Your ESP generates a new key but you forget to add the new public key to DNS. All emails signed with the new key fail DKIM.
Selector Confusion
Using the same selector for the new key as the old one can cause caching issues. DNS resolvers may serve the cached old key value even after you've updated it. Using a new selector avoids this.
Not Testing After Rotation
After any key rotation, send test emails and verify DKIM passes. Don't assume the rotation worked — confirm it.
Automated Key Rotation
For organizations that want to automate rotation:
- Some DNS providers support API-based record management, enabling automated DKIM record updates
- DKIM key management services can automate the generation, publishing, and cleanup cycle
- If using infrastructure-as-code (Terraform, CloudFormation), include DKIM records in your configuration and rotate through version control