Summary
The prevailing consensus from experts, marketers, and documentation is that while old DKIM records themselves are unlikely to directly and significantly harm email sending reputation *unless* mail is actively being sent from the old ESP using those records, it's a best practice to remove them. Maintaining a clean DNS setup contributes to better overall email health. Leaving old records can clutter DNS, complicate troubleshooting, increase the (albeit small) risk of key compromise and potential DNS spoofing attacks, and potentially introduce confusion for DNS resolvers. Experts agree that removing old DKIM records improves DNS hygiene, reduces security risks, and minimizes the chance of misconfiguration. Monitoring DMARC reports, even with valid DKIM signatures, helps to detect unexpected traffic.
Key findings
- Low Direct Impact (Usually): Old DKIM records do not *directly* cause reputation issues unless the old ESP is still actively sending mail with those records.
- DNS Hygiene Matters: Maintaining a clean, up-to-date DNS configuration is vital for good email deliverability and overall email health.
- Security Concerns: Long-standing DKIM keys, although representing a small risk, can be compromised, leading to potential spoofing.
- Complexity & Confusion: Unnecessary DNS records add complexity and can create confusion during authentication, increasing troubleshooting difficulties.
- DMARC Monitoring Value: DMARC reporting provides a means to monitor traffic sources and can identify anomalous sending even with valid DKIM.
Key considerations
- Routine DNS Maintenance: Implement a process for regularly reviewing and cleaning up DNS records, removing old DKIM keys whenever an ESP is changed.
- Minimize Key Count: Reduce the number of active DKIM keys to only those necessary, strengthening security and simplifying DNS management.
- Proactive Monitoring: Use DMARC reporting to actively monitor email traffic and identify any potential anomalies or security incidents.
- Prioritize Authentication: Proper authentication practices enable mailbox providers to identify mail streams, which makes IP reputation less critical.
What email marketers say
9 marketer opinions
The consensus among email marketers is that while old DKIM records from previous ESPs are unlikely to directly and significantly harm email sending reputation, it's a best practice to remove them. Keeping them can lead to DNS clutter, complicate troubleshooting, increase the (albeit small) risk of key compromise and potential DNS spoofing attacks, and introduce confusion for DNS resolvers. Removing them improves DNS hygiene and reduces potential security risks.
Key opinions
- Low Direct Impact: Old DKIM records are unlikely to *directly* and negatively impact email sending reputation.
- DNS Clutter: Leaving old records can clutter DNS, making troubleshooting more difficult.
- Security Risk: Although the risk is small, old keys can be compromised, leading to potential DNS spoofing.
- DMARC Monitoring: Even with valid DKIM, DMARC reports can help detect unexpected traffic sources.
Key considerations
- DNS Hygiene: Maintaining a clean and up-to-date DNS configuration contributes to overall email health.
- Key Rotation: Implement a process for rotating DKIM keys and removing old ones when switching ESPs.
- DMARC Monitoring: Actively monitor DMARC reports to identify any unusual email activity or potential security breaches.
- Key Type: If keys differ between ESPs, there is not a need to delete records.
Marketer view
Email marketer from SparkPost documentation advises removing old DKIM records after migrating to a new ESP. It is important to remove old DKIM keys to avoid potential DNS spoofing attacks. Keeping them complicates DNS management and provides no benefit.
23 Oct 2023 - SparkPost
Marketer view
Email marketer from Mailgun documentation explains that it’s generally good practice to remove DKIM records from previous ESPs once you've fully transitioned to a new provider to avoid potential confusion or security risks.
23 Dec 2024 - Mailgun
What the experts say
3 expert opinions
Experts generally agree that old DKIM records themselves are unlikely to directly and significantly harm email sending reputation unless mail is actively sent from the old ESP. While the DNS records are not directly the cause, maintaining a clean DNS setup improves overall email health and reduces the potential for misconfiguration and clutter. A long-standing DKIM key pair increases the risk of compromise and impersonation, however small.
Key opinions
- Low Direct Impact: Old DKIM records do not directly cause reputation issues unless mail is being sent from the old ESP.
- Reputation Tied to Domain: Sender reputation is linked to the DKIM 'd=' domain.
- Clean DNS Benefits: A clean DNS setup contributes to better overall email health.
- Compromise Risk: Long-standing DKIM keys have a small, but present, risk of being compromised.
Key considerations
- DNS Maintenance: Regularly clean up old DKIM records to reduce clutter and potential misconfiguration.
- Security Posture: Balance the low risk of key compromise with the effort of maintaining and updating DKIM records.
- Focus on Authentication: Ensure proper authentication practices, as authentication allows mailbox providers to identify mail streams, making IP reputation less critical.
Expert view
Expert from Word to the Wise explains that while old DKIM records by themselves rarely cause deliverability issues, a clean DNS setup contributes to better overall email health. Removing old records reduces clutter and the potential for misconfiguration.
30 Oct 2021 - Word to the Wise
Expert view
Expert from Email Geeks explains that old DKIM records don't directly cause reputation issues unless mail is actively sent from that ESP. The signature carries the identifier, not the DNS records. He further explains that sender reputation is tied to the DKIM 'd=' domain, and while spam filters have memory, they eventually forget. Authentication allows mailbox providers to identify mail streams, making IP reputation less critical once a mailstream establishes its own reputation based on recipient responses.
8 Oct 2022 - Email Geeks
What the documentation says
4 technical articles
Official documentation emphasizes maintaining accurate and up-to-date DNS records, including DKIM. While old DKIM records may not directly harm reputation, they can create confusion, potential conflicts during authentication, and unnecessary security risks. Best practices suggest removing unused records and only configuring active keys to maintain optimal performance and security.
Key findings
- No Direct Harm (Generally): Old DKIM records themselves don't directly harm reputation, but contribute to indirect issues.
- Accuracy is Crucial: Maintaining accurate DNS records is essential for authentication and avoiding deliverability issues.
- Potential for Confusion: Unnecessary DNS records can create confusion during the authentication process.
- Security Risks: Using old DKIM keys poses unnecessary security risks to your domain.
Key considerations
- Regular DNS Maintenance: Establish a process for regularly reviewing and removing old or unused DNS records, including DKIM.
- Authentication Best Practices: Follow best practices for DKIM configuration and maintenance to ensure smooth authentication and prevent deliverability issues.
- Security Focus: Prioritize security by minimizing the number of active DKIM keys and ensuring only those keys are configured.
Technical article
Documentation from Microsoft explains that it is important to keep your DNS records up to date. Ensure to remove any old records and keys that you are no longer using. Using old keys are an unnessecary risk to your domain.
14 May 2024 - Microsoft
Technical article
Documentation from Google explains that while old DKIM records themselves don't directly harm your reputation, maintaining accurate DNS records, including DKIM, is crucial for authentication and avoiding deliverability issues. Having unnecessary records can create confusion.
23 Apr 2023 - Google
Can I use the same sending domain with multiple ESPs?
Do DKIM selectors affect email reputation?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?
How can ESPs identify and block spammers before they damage IP reputation?
How can I improve email deliverability and open rates for a client with a bad domain reputation, especially with Gmail, and what strategies should I use for unengaged users?
How can I improve email deliverability for a client with a poor sender reputation and questionable email acquisition practices?
How do ActiveCampaign and other ESPs handle DMARC records during custom return-path setup, and what are the potential issues?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
