Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?

Summary

The consensus is that rotating DKIM keys is primarily a security measure that indirectly benefits email deliverability. It's crucial for preventing deliverability issues stemming from compromised keys, mitigating the risk of spoofing and phishing, and maintaining a positive sender reputation. While not directly boosting deliverability scores, a failure to rotate keys poses a substantial security risk. The recommended process involves generating a new key pair, updating DNS records (often including a new selector), testing the new key, transitioning mail flow to the new key, and eventually removing the old key. Different ESPs may have different methods for managing key rotation, and setting up multiple selectors from the start is beneficial. Regularly reminding yourself to change the key is important for continued security.

Key findings

  • Security Imperative: DKIM key rotation is predominantly a security practice aimed at preventing key compromises and associated deliverability problems.
  • Indirect Deliverability: While it doesn't directly boost deliverability, maintaining a strong security posture through DKIM rotation indirectly contributes to a positive sender reputation.
  • Rotation Procedure: The typical DKIM key rotation process involves generating a new key pair, updating DNS records (often with a new selector), testing the new key, switching mail flow, and eventually removing the old key.
  • Selector Management: Utilizing multiple DKIM selectors or techniques like CNAME ping-pong can facilitate key rotation more smoothly.
  • Regular Reminders: It is beneficial to set a reminder to change the key regularly (every 6-12 months), as that will help remain as secure as possible.

Key considerations

  • ESP Variations: Key rotation procedures can vary across different ESPs; understand your specific provider's requirements.
  • DNS Modifications: Plan for updating DNS records, which may require customer intervention if only one selector is initially configured.
  • Pre-Transition Testing: Thoroughly test the new DKIM key setup before completely switching over to prevent potential email delivery disruptions.
  • Rotation Frequency: Establish a regular DKIM key rotation schedule (e.g., every few months) based on security needs and industry recommendations.
  • Process Knowledge: Ensure internal expertise to manage DKIM key rotation effectively, especially in response to security compromises.

What email marketers say
13Marketer opinions

Rotating DKIM keys is primarily a security measure that indirectly benefits email deliverability. While not directly boosting deliverability scores, it prevents deliverability issues stemming from compromised keys, protects against spoofing and phishing attacks, and contributes to a positive sender reputation. The process involves generating a new key pair, updating DNS records (often with a new selector), testing the new key, switching mail flow, and eventually removing the old key. ESPs may handle rotation differently, some requiring customers to add new DNS records, while others use methods like CNAME ping-pong or maintain multiple selectors.

Key opinions

  • Security First: DKIM rotation is primarily for security, reducing the risk of key compromise and subsequent deliverability issues.
  • Indirect Deliverability Boost: Rotating DKIM keys doesn't directly improve deliverability but helps maintain a positive sender reputation, which indirectly benefits deliverability.
  • Rotation Process: The rotation process involves generating a new key pair, updating DNS records (often with a new selector), testing the new key, switching mail flow, and eventually removing the old key.
  • Selector Management: Using multiple selectors or CNAME ping-pong can simplify key rotation without immediate DNS changes for customers.
  • Regular Reminders: Once the keys are changed, you should set a reminder to change the key again in 6-12 months to remain as secure as possible.

Key considerations

  • ESP Differences: ESPs have different key rotation processes; understand your provider's method and requirements.
  • DNS Updates: Be prepared to update DNS records, potentially requiring customer action if your ESP uses a single selector.
  • Testing: Thoroughly test the new DKIM key setup before fully switching over to avoid email delivery disruptions.
  • Frequency: Rotate your DKIM keys regularly, typically every few months to a year, based on your security needs and industry best practices.
  • Transition Time: Allow sufficient time for the new key to propagate and the old key to expire to ensure uninterrupted email flow.
Marketer view

Email marketer from Email Vendor Guide suggests setting up multiple DKIM selectors from the start, even if you only use one initially. This makes key rotation easier later because you can switch to a new selector without requiring immediate DNS changes from your customers.

July 2021 - EmailVendorGuide.com
Marketer view

Email marketer from AuthSMTP explains that changing keys involves generating the new key pair, updating your DNS records and then sending a test email to ensure the new DKIM record is detected. Once the keys are changed you should set a reminder to change the key again in 6-12 months to remain as secure as possible.

December 2022 - AuthSMTP

What the experts say
8Expert opinions

Experts generally agree that DKIM key rotation is crucial for email security, primarily to prevent deliverability issues that arise from compromised keys. While it may not directly boost deliverability, failing to rotate keys poses a significant security risk. Key rotation involves publishing a new key with a new selector, signing emails with the new key, and eventually removing the old key from DNS. Having multiple keys and a rotation strategy is recommended. CNAME ping-pong is a common method used by ESPs.

Key opinions

  • Security Focus: DKIM key rotation is mainly for security to maintain key hygiene and mitigate the risk of compromised keys.
  • Selector Change: Changing the selector is a necessary step in the DKIM key rotation process.
  • Rotation Process: The standard rotation process involves publishing a new key with a new selector, signing emails with the new key, and then deleting the old key.
  • Strategy Importance: Having a key rotation strategy and multiple keys facilitates a smoother transition and prevents disruptions.
  • ESP Methods: CNAME ping-pong is a common method ESPs use for key rotation.

Key considerations

  • Compromised Keys: Failure to rotate keys increases the risk of deliverability issues if a key is compromised.
  • Planning: Plan for key rotation and have a strategy in place to ensure the process is handled correctly.
  • Changing Selectors: Ensure you understand how to change selectors as part of your DKIM key rotation process.
  • Process Familiarity: Familiarize yourself with the key rotation process to ensure someone in your organization knows how to execute it properly in case of a compromise.
  • Multiple Keys: Consider having multiple keys from the beginning to make rotation easier.
Expert view

Expert from Word to the Wise explains that the reason to have multiple keys is so that one can rotate keys, and you should plan for a key rotation strategy.

May 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares an article comparing possible ways ESPs might rotate DKIM keys, mentioning CNAME ping-pong as the most common method.

September 2023 - Email Geeks

What the documentation says
3Technical articles

Documentation emphasizes that DKIM key rotation is a security best practice, primarily aimed at mitigating the risk of key compromise. While it doesn't directly improve deliverability, it prevents deliverability issues caused by compromised keys. The process involves generating a new key pair, updating DNS records, and gradually switching to the new key. DKIM uses selectors to facilitate key rotation, allowing senders to transition to a new key without invalidating old signatures by publishing multiple keys under different selectors.

Key findings

  • Security Priority: DKIM key rotation is primarily a security measure to protect against key compromise.
  • Deliverability Protection: While not a direct improvement, rotation prevents deliverability problems caused by compromised keys.
  • Rotation Steps: The rotation process includes generating a new key pair, updating DNS records, and gradually switching to the new key.
  • Selector Function: DKIM selectors enable key rotation by allowing senders to publish multiple keys and transition without invalidating old signatures.
  • Rotation frequency: Google recommends rotating DKIM keys at least every few months to maintain security

Key considerations

  • Key Generation: Properly generate a new key pair for each rotation.
  • DNS Updates: Ensure timely and accurate updates to DNS records during the rotation process.
  • Gradual Switch: Implement a gradual switch to the new key to avoid disruptions.
  • Selector Management: Utilize DKIM selectors effectively to manage multiple keys during the transition.
  • Regular Rotation: Establish a schedule for regular DKIM key rotation to maintain security.
Technical article

Documentation from M3AAWG.org details that DKIM key rotation is a security best practice to mitigate the risk of key compromise. While not directly improving deliverability, it prevents deliverability issues caused by compromised keys. Rotation involves generating a new key pair, updating the DNS record, and gradually switching over to the new key.

December 2022 - M3AAWG.org
Technical article

Documentation from RFC Editor explains that DKIM uses selectors to allow for key rotation. By publishing multiple keys under different selectors, senders can transition to a new key without immediately invalidating old signatures. The receiving server uses the selector to retrieve the correct public key for verification.

June 2024 - RFC Editor