Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?
Summary
What email marketers say13Marketer opinions
Email marketer from Email Vendor Guide suggests setting up multiple DKIM selectors from the start, even if you only use one initially. This makes key rotation easier later because you can switch to a new selector without requiring immediate DNS changes from your customers.
Email marketer from AuthSMTP explains that changing keys involves generating the new key pair, updating your DNS records and then sending a test email to ensure the new DKIM record is detected. Once the keys are changed you should set a reminder to change the key again in 6-12 months to remain as secure as possible.
Email marketer from Email Geeks says it's a security risk not to rotate, and compromises can hurt deliverability, but non-rotating in itself isn't necessarily a deliverability issue.
Email marketer from Email Geeks says that AWeber rotates keys every few months because not rotating risks eventual compromise, which impacts deliverability. He states that one (security risk) leads to the other (impact on deliverability) given enough time.
Email marketer from Mailhardener explains that DKIM key rotation is a crucial aspect of email security. While it may not directly boost deliverability scores, it significantly reduces the risk of email spoofing and phishing attacks. Regular key rotation involves generating new DKIM keys, updating DNS records, and ensuring a smooth transition to the new keys to avoid email delivery disruptions.
Email marketer from Postmark emphasizes that while DKIM itself primarily authenticates your email, properly maintained DKIM, including key rotation, contributes to a positive sender reputation. This positive reputation indirectly improves deliverability by signaling to ISPs that you're a trustworthy sender.
Email marketer from Reddit comments that DKIM rotation itself doesn't boost deliverability *directly*, but it *protects* your deliverability. Think of it like changing your passwords regularly. You're preventing future problems, not fixing current ones.
Email marketer from Email Geeks answers that if an ESP only asked for one selector initially, the way to rotate keys is to ask all customers to set a new DNS record and that most ESPs that do rotation ask you to add all selectors at setup.
Email marketer from SparkPost states that DKIM rotation is important for security, not directly for improving deliverability. They advise rotating keys regularly and having a process for key rotation to avoid problems when key compromise happens.
Email marketer from Email Geeks shares that Microsoft rotates between selector1 and selector2 when you rotate the keys, keeping the old keys active for a period of time, and they start using the new selector immediately after rotation. It is best practice.
Email marketer from DMARC Analyzer comments that to rotate DKIM keys effectively, it's recommended that you first generate your new key, before adding a second DKIM record to the DNS. Next you can test if it works. After this you switch your mail flow to the new key and remove the old key safely.
Email marketer from SendGrid advises that rotating your DKIM keys is a crucial component of security hygiene. A strong security posture aids your sending reputation and keeps your deliverability rates high, and rotating your keys is an essential step towards building and maintaining that secure email sending environment.
Email marketer from StackOverflow answers that key rotation is like changing your locks. It doesn't matter until your key is stolen but, when it is, it will matter a lot. Regularly changing keys and rotating them correctly makes sure you have a process when something bad does happen.
What the experts say8Expert opinions
Expert from Word to the Wise explains that the reason to have multiple keys is so that one can rotate keys, and you should plan for a key rotation strategy.
Expert from Email Geeks shares an article comparing possible ways ESPs might rotate DKIM keys, mentioning CNAME ping-pong as the most common method.
Expert from Email Geeks suggests that a big reason to rotate keys regularly is so that when you _have_ to rotate them due to a compromise, you can be fairly sure there’s someone in the company who knows how to do that without breaking all the things.
Expert from Email Geeks states he's seldom seen evidence that people rotate DKIM keys, but notes Fastmail is in the top 1% of companies doing things right and rotate keys regularly.
Expert from Email Geeks mentions that one platform has active keys dating back to 2006 and if compromised, deliverability will likely tank, implying a security risk in not rotating keys.
Expert from Email Geeks explains the DKIM key rotation process: publish a new key with a new selector, start signing and sending with that new key, then after some time, delete the old public key from DNS. Repeat.
Expert from Word to the Wise comments that rotating keys has been drilled into me for key hygiene. Compromised keys, old keys, all security issues.
Expert from Email Geeks says you need to change the selector when rotating DKIM keys.
What the documentation says3Technical articles
Documentation from M3AAWG.org details that DKIM key rotation is a security best practice to mitigate the risk of key compromise. While not directly improving deliverability, it prevents deliverability issues caused by compromised keys. Rotation involves generating a new key pair, updating the DNS record, and gradually switching over to the new key.
Documentation from RFC Editor explains that DKIM uses selectors to allow for key rotation. By publishing multiple keys under different selectors, senders can transition to a new key without immediately invalidating old signatures. The receiving server uses the selector to retrieve the correct public key for verification.
Documentation from Google Workspace Admin Help states that rotating DKIM keys regularly is crucial for maintaining email security. Google recommends rotating DKIM keys at least every few months. The process involves generating a new key, updating the DNS records, and then enabling DKIM signing with the new key in the Google Workspace admin console.