Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?

Summary

The consensus is that rotating DKIM keys is primarily a security measure that indirectly benefits email deliverability. It's crucial for preventing deliverability issues stemming from compromised keys, mitigating the risk of spoofing and phishing, and maintaining a positive sender reputation. While not directly boosting deliverability scores, a failure to rotate keys poses a substantial security risk. The recommended process involves generating a new key pair, updating DNS records (often including a new selector), testing the new key, transitioning mail flow to the new key, and eventually removing the old key. Different ESPs may have different methods for managing key rotation, and setting up multiple selectors from the start is beneficial. Regularly reminding yourself to change the key is important for continued security.

Key findings

  • Security Imperative: DKIM key rotation is predominantly a security practice aimed at preventing key compromises and associated deliverability problems.
  • Indirect Deliverability: While it doesn't directly boost deliverability, maintaining a strong security posture through DKIM rotation indirectly contributes to a positive sender reputation.
  • Rotation Procedure: The typical DKIM key rotation process involves generating a new key pair, updating DNS records (often with a new selector), testing the new key, switching mail flow, and eventually removing the old key.
  • Selector Management: Utilizing multiple DKIM selectors or techniques like CNAME ping-pong can facilitate key rotation more smoothly.
  • Regular Reminders: It is beneficial to set a reminder to change the key regularly (every 6-12 months), as that will help remain as secure as possible.

Key considerations

  • ESP Variations: Key rotation procedures can vary across different ESPs; understand your specific provider's requirements.
  • DNS Modifications: Plan for updating DNS records, which may require customer intervention if only one selector is initially configured.
  • Pre-Transition Testing: Thoroughly test the new DKIM key setup before completely switching over to prevent potential email delivery disruptions.
  • Rotation Frequency: Establish a regular DKIM key rotation schedule (e.g., every few months) based on security needs and industry recommendations.
  • Process Knowledge: Ensure internal expertise to manage DKIM key rotation effectively, especially in response to security compromises.

What email marketers say
13Marketer opinions

Rotating DKIM keys is primarily a security measure that indirectly benefits email deliverability. While not directly boosting deliverability scores, it prevents deliverability issues stemming from compromised keys, protects against spoofing and phishing attacks, and contributes to a positive sender reputation. The process involves generating a new key pair, updating DNS records (often with a new selector), testing the new key, switching mail flow, and eventually removing the old key. ESPs may handle rotation differently, some requiring customers to add new DNS records, while others use methods like CNAME ping-pong or maintain multiple selectors.

Key opinions

  • Security First: DKIM rotation is primarily for security, reducing the risk of key compromise and subsequent deliverability issues.
  • Indirect Deliverability Boost: Rotating DKIM keys doesn't directly improve deliverability but helps maintain a positive sender reputation, which indirectly benefits deliverability.
  • Rotation Process: The rotation process involves generating a new key pair, updating DNS records (often with a new selector), testing the new key, switching mail flow, and eventually removing the old key.
  • Selector Management: Using multiple selectors or CNAME ping-pong can simplify key rotation without immediate DNS changes for customers.
  • Regular Reminders: Once the keys are changed, you should set a reminder to change the key again in 6-12 months to remain as secure as possible.

Key considerations

  • ESP Differences: ESPs have different key rotation processes; understand your provider's method and requirements.
  • DNS Updates: Be prepared to update DNS records, potentially requiring customer action if your ESP uses a single selector.
  • Testing: Thoroughly test the new DKIM key setup before fully switching over to avoid email delivery disruptions.
  • Frequency: Rotate your DKIM keys regularly, typically every few months to a year, based on your security needs and industry best practices.
  • Transition Time: Allow sufficient time for the new key to propagate and the old key to expire to ensure uninterrupted email flow.
Marketer view

Email marketer from Email Vendor Guide suggests setting up multiple DKIM selectors from the start, even if you only use one initially. This makes key rotation easier later because you can switch to a new selector without requiring immediate DNS changes from your customers.

July 2021 - EmailVendorGuide.com
Marketer view

Email marketer from AuthSMTP explains that changing keys involves generating the new key pair, updating your DNS records and then sending a test email to ensure the new DKIM record is detected. Once the keys are changed you should set a reminder to change the key again in 6-12 months to remain as secure as possible.

December 2022 - AuthSMTP
Marketer view

Email marketer from Email Geeks says it's a security risk not to rotate, and compromises can hurt deliverability, but non-rotating in itself isn't necessarily a deliverability issue.

February 2024 - Email Geeks
Marketer view

Email marketer from Email Geeks says that AWeber rotates keys every few months because not rotating risks eventual compromise, which impacts deliverability. He states that one (security risk) leads to the other (impact on deliverability) given enough time.

December 2024 - Email Geeks
Marketer view

Email marketer from Mailhardener explains that DKIM key rotation is a crucial aspect of email security. While it may not directly boost deliverability scores, it significantly reduces the risk of email spoofing and phishing attacks. Regular key rotation involves generating new DKIM keys, updating DNS records, and ensuring a smooth transition to the new keys to avoid email delivery disruptions.

February 2025 - Mailhardener
Marketer view

Email marketer from Postmark emphasizes that while DKIM itself primarily authenticates your email, properly maintained DKIM, including key rotation, contributes to a positive sender reputation. This positive reputation indirectly improves deliverability by signaling to ISPs that you're a trustworthy sender.

June 2023 - Postmark
Marketer view

Email marketer from Reddit comments that DKIM rotation itself doesn't boost deliverability *directly*, but it *protects* your deliverability. Think of it like changing your passwords regularly. You're preventing future problems, not fixing current ones.

September 2023 - Reddit
Marketer view

Email marketer from Email Geeks answers that if an ESP only asked for one selector initially, the way to rotate keys is to ask all customers to set a new DNS record and that most ESPs that do rotation ask you to add all selectors at setup.

June 2021 - Email Geeks
Marketer view

Email marketer from SparkPost states that DKIM rotation is important for security, not directly for improving deliverability. They advise rotating keys regularly and having a process for key rotation to avoid problems when key compromise happens.

October 2024 - SparkPost
Marketer view

Email marketer from Email Geeks shares that Microsoft rotates between selector1 and selector2 when you rotate the keys, keeping the old keys active for a period of time, and they start using the new selector immediately after rotation. It is best practice.

July 2022 - Email Geeks
Marketer view

Email marketer from DMARC Analyzer comments that to rotate DKIM keys effectively, it's recommended that you first generate your new key, before adding a second DKIM record to the DNS. Next you can test if it works. After this you switch your mail flow to the new key and remove the old key safely.

October 2024 - DMARC Analyzer
Marketer view

Email marketer from SendGrid advises that rotating your DKIM keys is a crucial component of security hygiene. A strong security posture aids your sending reputation and keeps your deliverability rates high, and rotating your keys is an essential step towards building and maintaining that secure email sending environment.

June 2023 - SendGrid
Marketer view

Email marketer from StackOverflow answers that key rotation is like changing your locks. It doesn't matter until your key is stolen but, when it is, it will matter a lot. Regularly changing keys and rotating them correctly makes sure you have a process when something bad does happen.

October 2024 - StackOverflow

What the experts say
8Expert opinions

Experts generally agree that DKIM key rotation is crucial for email security, primarily to prevent deliverability issues that arise from compromised keys. While it may not directly boost deliverability, failing to rotate keys poses a significant security risk. Key rotation involves publishing a new key with a new selector, signing emails with the new key, and eventually removing the old key from DNS. Having multiple keys and a rotation strategy is recommended. CNAME ping-pong is a common method used by ESPs.

Key opinions

  • Security Focus: DKIM key rotation is mainly for security to maintain key hygiene and mitigate the risk of compromised keys.
  • Selector Change: Changing the selector is a necessary step in the DKIM key rotation process.
  • Rotation Process: The standard rotation process involves publishing a new key with a new selector, signing emails with the new key, and then deleting the old key.
  • Strategy Importance: Having a key rotation strategy and multiple keys facilitates a smoother transition and prevents disruptions.
  • ESP Methods: CNAME ping-pong is a common method ESPs use for key rotation.

Key considerations

  • Compromised Keys: Failure to rotate keys increases the risk of deliverability issues if a key is compromised.
  • Planning: Plan for key rotation and have a strategy in place to ensure the process is handled correctly.
  • Changing Selectors: Ensure you understand how to change selectors as part of your DKIM key rotation process.
  • Process Familiarity: Familiarize yourself with the key rotation process to ensure someone in your organization knows how to execute it properly in case of a compromise.
  • Multiple Keys: Consider having multiple keys from the beginning to make rotation easier.
Expert view

Expert from Word to the Wise explains that the reason to have multiple keys is so that one can rotate keys, and you should plan for a key rotation strategy.

May 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares an article comparing possible ways ESPs might rotate DKIM keys, mentioning CNAME ping-pong as the most common method.

September 2023 - Email Geeks
Expert view

Expert from Email Geeks suggests that a big reason to rotate keys regularly is so that when you _have_ to rotate them due to a compromise, you can be fairly sure there’s someone in the company who knows how to do that without breaking all the things.

September 2024 - Email Geeks
Expert view

Expert from Email Geeks states he's seldom seen evidence that people rotate DKIM keys, but notes Fastmail is in the top 1% of companies doing things right and rotate keys regularly.

July 2023 - Email Geeks
Expert view

Expert from Email Geeks mentions that one platform has active keys dating back to 2006 and if compromised, deliverability will likely tank, implying a security risk in not rotating keys.

July 2023 - Email Geeks
Expert view

Expert from Email Geeks explains the DKIM key rotation process: publish a new key with a new selector, start signing and sending with that new key, then after some time, delete the old public key from DNS. Repeat.

July 2024 - Email Geeks
Expert view

Expert from Word to the Wise comments that rotating keys has been drilled into me for key hygiene. Compromised keys, old keys, all security issues.

August 2022 - Word to the Wise
Expert view

Expert from Email Geeks says you need to change the selector when rotating DKIM keys.

September 2024 - Email Geeks

What the documentation says
3Technical articles

Documentation emphasizes that DKIM key rotation is a security best practice, primarily aimed at mitigating the risk of key compromise. While it doesn't directly improve deliverability, it prevents deliverability issues caused by compromised keys. The process involves generating a new key pair, updating DNS records, and gradually switching to the new key. DKIM uses selectors to facilitate key rotation, allowing senders to transition to a new key without invalidating old signatures by publishing multiple keys under different selectors.

Key findings

  • Security Priority: DKIM key rotation is primarily a security measure to protect against key compromise.
  • Deliverability Protection: While not a direct improvement, rotation prevents deliverability problems caused by compromised keys.
  • Rotation Steps: The rotation process includes generating a new key pair, updating DNS records, and gradually switching to the new key.
  • Selector Function: DKIM selectors enable key rotation by allowing senders to publish multiple keys and transition without invalidating old signatures.
  • Rotation frequency: Google recommends rotating DKIM keys at least every few months to maintain security

Key considerations

  • Key Generation: Properly generate a new key pair for each rotation.
  • DNS Updates: Ensure timely and accurate updates to DNS records during the rotation process.
  • Gradual Switch: Implement a gradual switch to the new key to avoid disruptions.
  • Selector Management: Utilize DKIM selectors effectively to manage multiple keys during the transition.
  • Regular Rotation: Establish a schedule for regular DKIM key rotation to maintain security.
Technical article

Documentation from M3AAWG.org details that DKIM key rotation is a security best practice to mitigate the risk of key compromise. While not directly improving deliverability, it prevents deliverability issues caused by compromised keys. Rotation involves generating a new key pair, updating the DNS record, and gradually switching over to the new key.

December 2022 - M3AAWG.org
Technical article

Documentation from RFC Editor explains that DKIM uses selectors to allow for key rotation. By publishing multiple keys under different selectors, senders can transition to a new key without immediately invalidating old signatures. The receiving server uses the selector to retrieve the correct public key for verification.

June 2024 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help states that rotating DKIM keys regularly is crucial for maintaining email security. Google recommends rotating DKIM keys at least every few months. The process involves generating a new key, updating the DNS records, and then enabling DKIM signing with the new key in the Google Workspace admin console.

January 2022 - Google Workspace Admin Help