DKIM Key Rotation: Best Practices and How-To
Learn how to rotate DKIM keys safely. Step-by-step process for key rotation, best practices for timing, and how to avoid email delivery disruptions.
Last updated: 2026-02-06
Key rotation means replacing your DKIM key pair with a new one. It's a security best practice that limits the impact of a compromised key and keeps your cryptography current.
Key rotation doesn't cause downtime when done correctly. Old and new keys coexist during the transition.
Why Rotate DKIM Keys?
- Limit exposure — If a private key is compromised, rotation limits the window of vulnerability
- Follow best practices — Security frameworks recommend periodic rotation
- Upgrade key size — Move from 1024-bit to 2048-bit
- Comply with policies — Some organizations require annual rotation
- Replace after personnel changes — When admins with key access leave
How Often to Rotate
| Scenario | Recommended Frequency |
|---|---|
| Standard business | Every 6-12 months |
| High-security (finance, healthcare) | Every 3-6 months |
| After a security incident | Immediately |
| After staff with key access departs | As soon as practical |
| Upgrading from 1024 to 2048-bit | One-time migration |
Step-by-Step Rotation Process
Generate new keys with a new selector
Create a new key pair with a different selector name. Use a date-based pattern for easy tracking (e.g., 2026q1 → 2026q2).
Publish the new DNS record
Add the new public key to DNS alongside the old one. Both records exist simultaneously.
Wait for DNS propagation
Allow 24-48 hours for the new DNS record to propagate globally.
Update your mail server
Configure your mail server to sign with the new private key and selector.
Monitor for issues
Check DMARC reports and bounce rates for any problems with the new key.
Remove the old DNS record
After 1-2 weeks, remove the old public key from DNS. This gives time for any emails in transit signed with the old key to be delivered.
Generate new DKIM keys
Create a fresh key pair for rotation. Use a new selector name.
Selector Naming for Rotation
Use predictable selector names to track rotation history:
| Pattern | Example | Notes |
|---|---|---|
| Date-based | `2026q1`, `2026q2` | Easy to track when rotated |
| Sequential | `key1`, `key2`, `key3` | Simple numbering |
| Year-month | `jan2026`, `jul2026` | Clear timing |
Avoid reusing selector names — receivers may cache old keys.
Example: Rotating on Postfix
# 1. Generate new keys (use DKIM Creator)
# Save as /etc/opendkim/keys/example.com/2026q2.private
# 2. Add new DNS record
# 2026q2._domainkey.example.com TXT "v=DKIM1; k=rsa; p=..."
# 3. Wait for propagation (24-48 hours)
# 4. Update OpenDKIM config
# In /etc/opendkim/key.table:
# Replace: mail._domainkey.example.com example.com:2026q1:/etc/opendkim/keys/example.com/2026q1.private
# With: mail._domainkey.example.com example.com:2026q2:/etc/opendkim/keys/example.com/2026q2.private
# 5. Restart
sudo systemctl restart opendkim
# 6. After 1-2 weeks, remove old DNS record for 2026q1
Rotation for Email Services
Google Workspace
- Admin Console → Apps → Gmail → Authenticate email
- Click "Rotate DKIM key"
- Google handles DNS updates if using Google DNS
Microsoft 365
- Defender portal → DKIM settings
- Click "Rotate DKIM keys" for your domain
- Update CNAME records if prompted
SendGrid / Mailgun / Other ESPs
Most ESPs handle key rotation internally. Check your provider's documentation for their rotation process.
Common Rotation Mistakes
Removing old DNS before transition period Emails in transit (queued, delayed, forwarded) may still carry signatures from the old key. Keep the old record for 1-2 weeks.
Reusing the same selector DNS caching means the old key may be served even after you update. Use a new selector to avoid this.
Not testing the new key Always verify the new DNS record resolves correctly before switching your mail server.
Rotating during high-volume sends Schedule rotation during low-traffic periods to minimize risk.
Automating Rotation
For organizations that rotate frequently:
#!/bin/bash
# Simple rotation script concept
DOMAIN="example.com"
NEW_SELECTOR="$(date +%Yq$(( ($(date +%-m) - 1) / 3 + 1 )))"
# Generate new key pair
openssl genrsa -out "/etc/opendkim/keys/${DOMAIN}/${NEW_SELECTOR}.private" 2048
# Extract public key for DNS
openssl rsa -in "/etc/opendkim/keys/${DOMAIN}/${NEW_SELECTOR}.private" \
-pubout -outform DER | base64 | tr -d '\n'
# Output: Add this to DNS as ${NEW_SELECTOR}._domainkey.${DOMAIN}
Or use DKIM Creator for a quick browser-based generation when it's time to rotate.
Rotation Checklist
- [ ] Generate new key pair with new selector
- [ ] Add new public key to DNS
- [ ] Verify DNS propagation (24-48 hours)
- [ ] Update mail server to use new private key
- [ ] Send test emails and verify DKIM passes
- [ ] Monitor DMARC reports for 1 week
- [ ] Remove old DNS record after 1-2 weeks
- [ ] Securely delete old private key
- [ ] Document the rotation date and new selector
Related Articles
Time to rotate? Generate fresh DKIM keys with a new selector.
Generate new DKIM keys
Create a key pair for your next rotation cycle. Free and browser-based.
Generate Keys