Summary
Changing DKIM selectors can impact email reputation, primarily if not managed correctly during key rotation. While some ISPs might track selectors, Google uses IP/selector/domain pairs to identify senders. Experts recommend regular key rotation (every 3-6 months per Google, annually per Reddit, or more often if compromised) to limit the impact of compromised keys. Key findings emphasize that the DKIM selector helps locate the public key and accurate DNS configuration is crucial to avoid authentication failures. Using CNAMEs for selectors facilitates easier changes. Multiple sources suggest that you should avoid reusing keys. Practical considerations include ensuring DNS record propagation, retiring old selectors, considering multiple selectors, monitoring DMARC reports, and testing the new selector. Furthermore, it's important to use longer DKIM key lengths (e.g., 2048 bits) for enhanced security, and some ESPs are transitioning to CNAME DKIM authentication.
Key findings
- Reputation Tracking: Some ISPs may track selectors, although this isn't best practice.
- Google's Sender ID: Google uses IP/selector/domain pairs for sender identification.
- DKIM Key Rotation: Regular DKIM key rotation is crucial for security.
- CNAME DKIM: CNAME DKIM authentication simplifies key management.
- DNS Record: Changing selectors requires updating DNS records accurately.
- Key Length: Longer key lengths (2048 bits) enhance security.
- DKIM Key Reuse: Keys should never be reused.
Key considerations
- Operational Need: Avoid changing DKIM selectors unless necessary.
- DNS Propagation: Ensure proper DNS record propagation after changes.
- Old Selector Retirement: Retire old selectors to prevent malicious use.
- Multiple Selectors: Consider using multiple selectors for easier rotation.
- DMARC Monitoring: Monitor DMARC reports to ensure proper authentication.
- Testing: Test the new selector after rotation.
- Rotation schedule: Always rotate keys on a regular schedule.
What email marketers say
13 marketer opinions
Changing DKIM selectors can impact email reputation, especially if not managed correctly. While some providers use the DKIM selector as part of their sender identification, best practices emphasize careful key rotation and selector management. Rotating DKIM keys regularly (at least annually, or more often if a compromise is suspected) is essential for security. When changing selectors, proper propagation of the new DKIM record is crucial, and old selectors should be retired to prevent malicious use. It's also vital to monitor DMARC reports post-rotation to ensure email authentication and swiftly address any issues. Using longer key lengths (2048 bits) enhances security. Testing the new selector and monitoring DMARC reports are crucial steps after DKIM rotation.
Key opinions
- Reputation Impact: Incorrect DKIM selector management can negatively impact email reputation.
- Google Identification: Google uses IP/selector/domain pairs to identify senders.
- Key Rotation Necessity: Regular DKIM key rotation is essential for security.
- CNAME DKIM: Some ESPs are moving to CNAME DKIM authentication as a solution.
- Key Length: Longer DKIM key lengths (e.g., 2048 bits) improve security.
- DMARC Monitoring: Monitoring DMARC reports is crucial post key rotation.
Key considerations
- Operational Need: Avoid changing DKIM selectors unless there's a genuine operational requirement.
- Propagation Delay: Ensure the new DKIM record is fully propagated before using it.
- Testing: Test the new DKIM selector after rotation to ensure proper functionality.
- Old Key Retirement: Retire old selectors to prevent potential malicious use.
- Multiple Selectors: Consider using multiple DKIM selectors to ease key rotation.
- DMARC Report Monitoring: Always monitor DMARC reports to ensure continued authentication.
- Key Reuse: Never reuse the same key with a selector
- Key Length: Always use the recommended key length as a minimum
Marketer view
Email marketer from Mailhardener Blog suggests using multiple DKIM selectors to facilitate smooth key rotation. This involves setting up multiple selectors simultaneously, allowing for a seamless transition when rotating keys without impacting email delivery.
10 Jul 2022 - Mailhardener Blog
Marketer view
Marketer from Email Geeks advises clients against changing DKIM selectors unless there's a real operational need.
1 Dec 2024 - Email Geeks
What the experts say
7 expert opinions
Changing DKIM selectors is crucial for key rotation, although some ISPs may have incorrectly used selectors for reputation tracking in the past. Regularly rotating keys mitigates security risks such as unauthorized email sending. Options for key rotation include 'ping-ponging' between two selectors. Avoiding reusing keys and rotating the keys frequently are important. Using CNAMEs simplifies selector changes. Rotating DKIM keys without selector changes is difficult to action and risky if not done infrequently. Longer key lengths, like 2048 bits, enhance security.
Key opinions
- Key Rotation Security: Key rotation mitigates risks of unauthorized email activity.
- CNAME Selector Simplification: CNAMEs can simplify selector changes for key rotation.
- Risk of not rotating: If the DKIM key is not changed, it can lead to risks such as spam being sent from your domain.
- Key Length: Longer keys are more secure
- DKIM Key Reuse: Keys should never be reused.
Key considerations
- Ping-Ponging: Consider 'ping-ponging' between selectors for key rotation.
- Frequency: Ensure keys are rotated on a schedule
- Key Length: Use keys with longer lengths where possible.
Expert view
Expert from Email Geeks mentions it is not possible to rotate your DKIM key without changing selector without there being risk of email being lost unless you only mail infrequently and rotate the key when you are not mailing.
28 Oct 2022 - Email Geeks
Expert view
Expert from Email Geeks explains if you don't change the selector you're not rotating your DKIM keys, which leaves you open to security risks like disgruntled ex-employees sending spam authenticated by you or phishing.
30 Nov 2024 - Email Geeks
What the documentation says
4 technical articles
DKIM key rotation is crucial for security, limiting the impact of compromised keys. Google recommends rotating keys every 3-6 months. The DKIM selector identifies the public key, and changing it requires updating DNS records. Microsoft provides guidance for key rotation in Office 365. Cloudflare emphasizes proper DNS configuration, including the correct selector, to prevent authentication failures.
Key findings
- Regular Rotation: Regular DKIM key rotation enhances security.
- Selector Function: The DKIM selector locates the correct public key.
- DNS Updates: Changing the selector requires updating DNS records.
- Authentication Failure: Incorrect DNS configuration can cause authentication failures.
Key considerations
- Rotation Frequency: Consider rotating keys every 3-6 months (per Google's recommendation).
- DNS Accuracy: Ensure accurate DNS configuration for the DKIM selector.
Technical article
Documentation from RFC 6376, the DKIM specification, explains that the selector is used to locate the correct public key for verification. Changing the selector requires updating the DNS record to point to the new key.
29 Apr 2022 - RFC Editor
Technical article
Documentation from Cloudflare highlights the importance of properly configuring your DNS records for DKIM, including the correct selector. Incorrectly configured records will cause authentication failures.
25 Nov 2022 - Cloudflare
Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?
Can old DKIM records from previous ESPs negatively impact email sending reputation?
Do DKIM selectors affect email reputation?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
Does rotating DKIM keys improve email deliverability and how should DKIM keys be rotated?
How should DKIM selector names be interpreted and what is the recommended DKIM key size?
