How should I manage DKIM private keys securely?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your DKIM private key is what makes your email authentication work. If someone gets hold of it, they can forge DKIM signatures on messages that appear to come from your domain. That's a phishing risk that bypasses authentication entirely.
But The good news is that if you send through a reputable ESP, they're probably handling key storage for you. The question is whether they're doing it well. Here's what secure key management looks like:
Store keys where humans can't easily reach them. The private key should live in encrypted, access-controlled storage. Hardware security modules (HSMs) are the gold standard for high-volume senders. For smaller operations, encrypted key vaults (like AWS KMS, Google Cloud KMS, or HashiCorp Vault) are reasonable alternatives.
Never put private keys in shared documents, email threads, or git repos. Not even private ones. This sounds obvious but happens constantly.
Limit access. Only systems that need to sign email should have access to the private key. Not your entire engineering team, not your DNS admin. Principle of least privilege.
Maintain audit logs. Know who or what accesses the key and when. If a key is misused, you need to be able to trace it.
Rotate regularly using selectors. DKIM's selector architecture is designed for rotation. Create a new selector, update your signing infrastructure to use it, then retire the old one after the DNS TTL expires. Many security frameworks recommend annual rotation at minimum. If you're on 1024-bit keys, rotation to 2048-bit is urgent, not just periodic maintenance.
And If you're not sure how your current DKIM setup is configured, start by looking up your public key with our free Review My Emails DKIM checker. It won't show you the private key (nothing should), but it confirms your public key is published correctly and shows the key length.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.