Summary
Sendgrid requires two DKIM keys primarily to enable seamless key rotation, a critical security practice for maintaining long-term email authentication and deliverability. This allows for continuous mail flow during key updates by provisioning new keys, updating DNS records, and switching over once changes propagate. Key rotation mitigates risks associated with key compromise and potential DKIM signature forgery. While implementing this system adds engineering complexity, especially in existing setups, failing to do so demonstrates a lack of understanding of security implications. Utilizing longer DKIM key lengths (e.g., 2048 bits) and tools like MXToolbox for validation further enhance the process.
Key findings
- Seamless Key Rotation: Two keys enable rolling updates of DKIM records without interrupting mail flow.
- Enhanced Security: Key rotation reduces the risk of successful key cracking and DKIM signature forgery.
- Mitigation of Risks: Regular rotation limits the window of opportunity for attackers if a key is compromised.
- Technical Best Practice: Key management, including rotation, is crucial for long-term security as outlined in RFC 6376.
- Validation and Testing: Tools such as MXToolbox assist in validating DKIM records and confirming proper setup.
- Security and Reliability: Use of two DKIM keys allows for smoother 'key rollover', and maintains Sendgrid uptime, which is an important part of keeping your email secure.
Key considerations
- Rotation Strategy: Implement a well-defined schedule for periodic DKIM key rotation.
- Engineering Complexity: Consider the increased engineering complexity, especially when retrofitting existing systems.
- DNS Propagation: Ensure DNS changes have fully propagated before switching over to the new key.
- Key Length: Use longer DKIM key lengths (e.g., 2048 bits) for improved security.
- Spoofing prevention: Prioritize key rotation is to avoid the long-term spoofing issues.
- Compromise Mitigation: Ensure rotation practices minimize the impact of potential key compromises
What email marketers say
6 marketer opinions
Sendgrid requires two domain keys primarily to facilitate seamless DKIM key rotation. This allows for continuous email authentication and prevents interruptions in mail flow while keys are updated. Regular key rotation, particularly with longer key lengths, is a critical security measure to mitigate the risk of key compromise and potential email spoofing.
Key opinions
- Seamless Rotation: The primary reason for two keys is to enable rolling updates of DKIM records without interrupting mail flow.
- Enhanced Security: Rotating keys regularly, especially with longer key lengths (e.g., 2048 bits), reduces the risk of successful key cracking.
- Key Rollover: The additional key allows for smoother 'key rollover,' an important part of email security.
- Uptime Maintenance: Using two keys helps Sendgrid maintain uptime during key rotations.
- Validation Tools: Tools like MXToolbox can be used to validate and confirm DKIM records are set up correctly, ensuring proper rotation.
Key considerations
- Key Length: Using longer DKIM key lengths (e.g., 2048 bits) is recommended for improved security.
- Regular Rotation: Rotating DKIM keys regularly is crucial to minimize the impact of potential key compromises.
- Proper Setup: Ensure DKIM records are correctly set up and validated to enable seamless rotation and prevent authentication issues.
- Security: Prioritizing key rotation is a critical security measure to avoid the long-term spoofing issues.
Marketer view
Email marketer from Reddit user, u/SomeTechDude, responds that Sendgrid uses two keys to allow for rolling updates of their DKIM records. This ensures mail continues to pass authentication while changes are propagated.
17 Feb 2023 - Reddit
Marketer view
Email marketer from StackOverflow User, TechGuru123, explains that Sendgrid utilizes 2 DKIM keys so that they can rotate them seamlessly and prevent an outage or any interruptions to your mail flow, they rotate the DKIM keys regularly.
11 Aug 2023 - StackOverflow
What the experts say
5 expert opinions
Sendgrid requires two DKIM keys to facilitate key rotation, a critical security practice. This process involves provisioning new keys, updating DNS records while the old key remains active, and switching over to the new key once DNS changes propagate, eventually retiring the old key. Key rotation mitigates risks associated with key compromise and potential forgery of DKIM signatures. Not implementing such a system implies a lack of understanding of the associated security implications. Implementing a two-key system adds engineering complexity, particularly when retrofitting existing systems, but is a worthwhile effort to enhance security.
Key opinions
- Key Rotation Purpose: The primary reason for two keys is to enable key rotation.
- Security Enhancement: Key rotation is a critical security measure to prevent forgery of DKIM signatures in case of key compromise.
- Mitigation of Risks: Regular key rotation reduces the risk associated with compromised private keys.
- Security Implications: Failing to implement key rotation suggests a lack of understanding of security implications.
- Technical Implementation: Implementing key rotation adds technical complexity but is a beneficial practice.
- Rotation Schedule: A planned key rotation schedule can involve signing with different keys each month and replacing them halfway through the period.
Key considerations
- Engineering Complexity: Be aware of the increased engineering complexity when implementing key rotation, especially in existing systems.
- Regular Rotation: Regularly rotate keys according to a well-defined schedule.
- DNS Propagation: Ensure DNS changes have fully propagated before switching over to the new key.
- Security Understanding: Understand the potential security risks of not implementing key rotation.
Expert view
Expert from Email Geeks explains that Sendgrid asks for two domain keys for key rotation. If they didn't, it would mean they don't understand the security implications.
28 Apr 2024 - Email Geeks
Expert view
Expert from Email Geeks shares that if he were engineering an ESP, he'd do it roughly like SendGrid does. However, the engineering complexity to do it that way is significantly higher, especially to retrofit into an existing system, and complexity leads to security holes.
9 Jun 2025 - Email Geeks
What the documentation says
4 technical articles
Sendgrid's recommendation of using two DKIM keys facilitates seamless key rotation, which is crucial for maintaining the long-term security of DKIM signatures. This approach, supported by best practices outlined in RFC 6376, allows for continuous email flow while keys are rotated for enhanced security. Rotating DKIM keys minimizes the risk associated with key compromise and limits the window of opportunity for attackers to forge emails. Additionally, DKIM signing helps prevent spoofing and ensures messages are not modified during transit.
Key findings
- Seamless Rotation: Two keys enable rotation without interrupting email flow.
- Enhanced Security: Rotating DKIM keys enhances overall security.
- Minimizes Risk: Rotation minimizes the risk associated with key compromise.
- Prevents Spoofing: DKIM signing prevents spoofing and message modification.
- Key Rollover: Having a mechanism for key rollover is a best practice.
Key considerations
- Periodic Rotation: Implement a strategy for periodic DKIM key rotation.
- Key Management: Effective key management is essential for long-term security.
- Compromise Mitigation: Ensure rotation practices minimize the impact of potential key compromises.
- DKIM Standards: Adhere to DKIM standards (RFC 6376) for optimal implementation.
Technical article
Documentation from Sendgrid explains that they recommend rotating DKIM keys periodically for enhanced security. Using two keys allows for seamless rotation without interrupting email flow. One key remains active while the other is being rotated.
28 Oct 2024 - Sendgrid
Technical article
Documentation from RFC Editor (RFC 6376, defining DKIM) explains that key management, including rotation, is crucial for maintaining the long-term security of DKIM signatures. While the RFC doesn't mandate two keys, it implies that having a mechanism for key rollover is a best practice.
31 Aug 2024 - RFC Editor
Can DKIM be set up on a subdomain, and which domain should be used for signing?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot?
Why are my DKIM and DMARC failing in Gmail, and how can I fix it?
