Can old DKIM records from previous ESPs negatively impact email sending reputation?
Summary
What email marketers say9Marketer opinions
Email marketer from SparkPost documentation advises removing old DKIM records after migrating to a new ESP. It is important to remove old DKIM keys to avoid potential DNS spoofing attacks. Keeping them complicates DNS management and provides no benefit.
Email marketer from Mailgun documentation explains that it’s generally good practice to remove DKIM records from previous ESPs once you've fully transitioned to a new provider to avoid potential confusion or security risks.
Email marketer from EmailSecurityFAQ responds that while the presence of old DKIM records is unlikely to directly and negatively impact your email sending reputation, it is best to remove them for the purpose of security and tidiness.
Email marketer from SendGrid documentation advises that once you switch ESPs, you should remove the DKIM key from your old provider, but that if it is a different key you have no need to remove.
Marketer from Email Geeks shares that even with valid DKIM signatures, unexpected traffic sources can be detected in DMARC reports if closely monitored.
Email marketer from StackOverflow shares the importance of cleaning old DNS records as they may no longer be needed for email sending and can potentially be misleading or introduce confusion to DNS resolvers and other systems that use your domain's DNS information.
Email marketer from Reddit suggests that leaving old DKIM records can clutter your DNS and make troubleshooting harder. Although there is very minimal risk it is best to remove these records
Email marketer from SuperUser forum suggests that maintaining up-to-date DNS is crucial for avoiding deliverability issues. The commenter suggests that old records should be removed as its less risk.
Email marketer from AuthSMTP explains that removing older DKIM keys is good practice to keep your DNS records lean and relevant, as well as reduce any potential risk, albeit low, of those keys being compromised. They recommend removing old keys.
What the experts say3Expert opinions
Expert from Word to the Wise explains that while old DKIM records by themselves rarely cause deliverability issues, a clean DNS setup contributes to better overall email health. Removing old records reduces clutter and the potential for misconfiguration.
Expert from Email Geeks explains that old DKIM records don't directly cause reputation issues unless mail is actively sent from that ESP. The signature carries the identifier, not the DNS records. He further explains that sender reputation is tied to the DKIM 'd=' domain, and while spam filters have memory, they eventually forget. Authentication allows mailbox providers to identify mail streams, making IP reputation less critical once a mailstream establishes its own reputation based on recipient responses.
Expert from Email Geeks suggests deleting old DKIM records mainly for tidiness. He explains that a long-standing DKIM key pair increases the risk of compromise and impersonation, although the risk is small.
What the documentation says4Technical articles
Documentation from Microsoft explains that it is important to keep your DNS records up to date. Ensure to remove any old records and keys that you are no longer using. Using old keys are an unnessecary risk to your domain.
Documentation from Google explains that while old DKIM records themselves don't directly harm your reputation, maintaining accurate DNS records, including DKIM, is crucial for authentication and avoiding deliverability issues. Having unnecessary records can create confusion.
Documentation from RFC 6376 mentions that DNS records used for DKIM should be maintained carefully to avoid conflicts or confusion during the authentication process. Although it doesn't specifically discuss the negative impact of older records, it suggests best practices in maintaining DNS records for the best performance.
Documentation from DMARC.org shares that by having more DKIM records than you need, you leave more open doors for potential problems. Security is only as strong as the weakest point, so you should only have active DKIM keys configured.