DKIM key rotation replaces your signing key pair periodically to limit damage if a private key is compromised. Recommended schedule: every 6-12 months for 2048-bit keys. Process: 1) Generate new key pair with a new selector, 2) Publish new public key in DNS alongside the old one, 3) Switch your signing to the new key, 4) Wait 48 hours for in-transit messages to clear, 5) Remove old DNS record. Never remove the old key before switching — in-transit messages signed with the old key need it for verification.
DKIM Key Rotation: Why, When, and How
The Rotation Process
Step 1: Generate New Key
Create a new DKIM key pair with a new selector:
- Old key:
selector1._domainkey.yourdomain.com - New key:
selector2._domainkey.yourdomain.com
Step 2: Publish New Public Key
Add the new selector's DNS record before changing anything else:
selector2._domainkey.yourdomain.com TXT v=DKIM1; k=rsa; p=NEW_PUBLIC_KEY
Wait for DNS propagation (1-4 hours).
Step 3: Switch Signing
Update your ESP or MTA to sign with the new selector (selector2) and new private key.
- Google Workspace: Admin Console → Generate new key → add DNS → Start Authentication with new key
- Mailgun: Dashboard → Domain → DKIM → rotate
- SendGrid: Domain Authentication → rotate (if supported, or re-authenticate domain)
Step 4: Overlap Period (48 hours)
Keep BOTH DNS records active:
selector1._domainkey → OLD public key (for messages already in transit)
selector2._domainkey → NEW public key (for new messages)
Messages sent before the switch are signed with the old key. They need the old DNS record to verify. After 48 hours, all old messages should have been delivered.
Step 5: Remove Old Key
After 48 hours, remove the old selector's DNS record:
DELETE: selector1._domainkey.yourdomain.com
Done. Your DKIM is now using the new key with zero disruption.
Rotation Schedule
| Key Size | Rotation Frequency | Risk if Not Rotated |
|---|---|---|
| 2048-bit | Every 6-12 months | Low (strong key) |
| 1024-bit | Every 3-6 months | Medium (weaker key, should upgrade to 2048) |
| After suspected compromise | Immediately | Critical |
By ESP
Google Workspace
Admin Console → Apps → Gmail → Authenticate Email:
- Generate new record (new selector)
- Add new TXT record to DNS
- Wait for propagation
- Click "Start Authentication" for new key
- Old key is automatically replaced
Mailgun
Mailgun can generate new DKIM keys per domain. Check domain settings for rotation options, or re-verify the domain with new keys.
SendGrid
Re-authenticate your domain through Sender Authentication. This generates new DKIM CNAME records with new selectors.
Self-Hosted (Postfix/Mailcow)
- Generate new key pair:
opendkim-genkey -s selector2 -d yourdomain.com - Publish new public key in DNS
- Update OpenDKIM config to use new selector and key
- Restart OpenDKIM
- Remove old DNS record after 48 hours
Common Rotation Mistakes
- Removing old key before switching. In-transit messages fail DKIM verification. Always overlap.
- Same selector for new key. Use a NEW selector name. The DNS cache may still hold the old public key under the old selector name.
- Not verifying the new key works. After switching, send a test email and check DKIM-Signature header for the new selector and
dkim=passin Authentication-Results. - Forgetting to rotate. Set a calendar reminder for 6-month or 12-month intervals.
Practitioner note: DKIM key rotation is the authentication maintenance task most businesses skip. They set up DKIM once and never touch it. In most cases, this is fine — 2048-bit keys are strong. But if you're in a regulated industry (healthcare, finance) or have had any security incidents, rotation is a best practice worth implementing.
Practitioner note: The overlap period is critical. I've seen admins delete the old DNS record the same minute they switch keys. Messages that were already in transit (signed with the old key) fail DKIM verification because the old public key is gone. Always wait 48 hours.
For background on DKIM selectors and naming, see DKIM selector explained. For the complete setup process, see the DKIM setup guide. For key length considerations, see 1024-bit vs 2048-bit DKIM keys. If you need DKIM rotation managed across multiple domains, schedule a consultation.
Sources
- RFC 6376: DKIM (Key Management)
- Google: DKIM Key Rotation
v1.0 · March 2026
Frequently Asked Questions
Why should I rotate DKIM keys?
If your private key is compromised (server breach, unauthorized access), an attacker can sign email as your domain indefinitely. Rotation limits the window of exposure. It's also security hygiene — just like rotating passwords and API keys.
How often should I rotate DKIM keys?
Every 6-12 months for 2048-bit keys. Every 3-6 months for 1024-bit keys (shorter keys are more vulnerable). If you suspect compromise: rotate immediately. Some highly regulated industries require quarterly rotation.
Will rotation break my email?
Not if done correctly. The key: overlap periods. Publish the new key before switching signing. Keep the old key published for 48 hours after switching (for in-transit messages). During the overlap, both keys are valid. No disruption.
Does Google Workspace rotate DKIM keys automatically?
Google Workspace supports generating a new key in Admin Console, but rotation is manual. You must: generate new key → add new DNS record → enable new key → remove old DNS record. It's not automated.
What is a DKIM selector and how does it relate to rotation?
The selector identifies which key to use (e.g., s=google, s=k1, s=selector2). During rotation, you use a new selector for the new key. Old selector: selector1._domainkey (old key). New selector: selector2._domainkey (new key). Both exist simultaneously during the overlap period.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.