What is a good DKIM key rotation strategy?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Rotating DKIM keys isn't as simple as swapping one key for another. If you pull the old key before all your sending systems are using the new one, messages in transit will fail validation. The safe approach takes a few days but it's not complicated once you know the sequence.
Step 1: Generate the new key pair and publish the new selector in DNS. Use a fresh selector name (like s2 if your current selector is s1, or 2024 if you use year-based naming). Your old selector stays live throughout this process.
Step 2: Update your sending systems to sign with the new key. That means every ESP, CRM, transactional mail service, and any other service sending from your domain. Don't retire the old key yet.
Step 3: Wait for DNS propagation and send some test messages. Check the Authentication-Results header in the received email to confirm the new DKIM signature is passing. Most DNS changes propagate within a few hours, but waiting 24-48 hours gives everything time to settle, especially for emails that were in transit during the change. Step 4: Remove the old selector from DNS. Only once you've confirmed the new key is signing successfully across all systems. If you're using 2048-bit keys (which you should be), the performance difference from the old key is negligible.
Most recommendations say to rotate annually, though some security-conscious senders do it quarterly. Our free DKIM record lookup can verify your current key is published and validate the record format before and after a rotation.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.