What is ARC-Seal key rotation?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

ARC-Seal key rotation is the process of replacing the cryptographic keys used to sign ARC-Seal headers. It works on the same principle as DKIM key rotation: keys should be replaced periodically to limit the window of exposure if a private key is ever compromised.

A quick refresher on what ARC-Seal is: when an intermediary (forwarder, mailing list server) passes along an email, it can add three ARC headers including the ARC-Seal, which cryptographically signs the full ARC chain to prevent tampering. That signing uses a private key, just like DKIM. The corresponding public key lives in DNS.

Rotation involves creating a new key pair, publishing the new public key in DNS under a new selector, switching the signing system to use the new private key, and then retiring the old key after DNS caches have expired. The sequence is the same as DKIM key rotation. You need to make sure the new key is published and resolvable before you start signing with it, otherwise receiving servers can't validate the new signatures.

So In practice, ARC-Seal rotation is mostly relevant for operators of mailing list servers or forwarding infrastructure that acts as an ARC intermediary. If you're sending through a major ARC-supporting ESP, they handle key rotation for you. If you're running your own mail infrastructure and have implemented ARC signing, key rotation should be part of your regular maintenance calendar, similar to how you'd handle DKIM private key management.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me plan ARC-Seal key rotation

I operate a mailing list server that has implemented ARC signing. I want to rotate our ARC-Seal keys and need help understanding the right sequence: when to publish the new public key, when to switch signing to the new private key, and how long to keep the old key around. Our DNS TTL is {ttl_seconds} seconds and our list serves {subscriber_count} subscribers.

Edit the yellow boxes, then send to the AI of your choice.