Yes, you can absolutely rotate your DKIM keys without causing any email delivery downtime. It's a standard security procedure that, when done correctly, is completely seamless. The mechanism that allows for this smooth transition is a core part of the DKIM specification itself: selectors.
By using a new selector for your new key, you can have both the old and new keys active at the same time during a transition period. This ensures that all emails, whether they are signed with the old or new key, will pass DKIM verification without any interruption to your mail flow. As Mailmodo explains, a coordinated strategy is the way to go.
How zero-downtime rotation works
A DKIM selector is simply a name that you choose, like s1 or google. It becomes part of the DNS record name where your public key is stored, for example s1._domainkey.yourdomain.com. When you send an email, the selector is included in the DKIM-Signature header. The receiving mail server reads this selector and knows exactly which DNS record to look up to find the correct public key for verification.
To perform a rotation, you create a new key and publish it with a new, different selector, for example s2._domainkey.yourdomain.com. For a period, both your old selector (s1) and new selector (s2) can coexist. Zendesk also highlights that this is a security best practice.
A step-by-step guide to rotating DKIM keys
Here is the simple process for rotating your keys with no service interruption.
- Generate a new key pair. First, create a new public and private DKIM key pair. Most email service providers can do this for you, or you can use standard tools like OpenSSL.
- Publish the new public key. Create a new TXT record in your DNS. Use a new selector that is different from your current one. For instance, if you use 's1', name the new one 's2'. Add the new public key to this record.
- Wait for DNS propagation. Before you start using the new key, you must wait for the new DNS record to be visible across the internet. This typically takes a few hours but can take up to 48 hours in some cases.
- Start signing with the new key. Configure your email sending platform to start signing outgoing emails with the new private key and the new selector.
- Monitor your deliverability. Keep an eye on your email authentication results. DMARC reports are perfect for this, as they will show you the DKIM results for your messages.
- Decommission the old key. Once you are confident that the new key is working correctly and all mail is being signed with it, you can safely remove the old DKIM record from your DNS.
How often should you rotate keys?
This is a common question, and the answer often depends on your organization's specific security policies and risk tolerance. There isn't a single mandated frequency for DKIM key rotation.
Some organizations with strict security requirements may rotate keys as often as every quarter. Others may find that rotating them annually is sufficient. The key is to have a defined policy and to follow it. The process is straightforward enough that it doesn't need to be a major project, so rotating them periodically is a manageable and worthwhile security enhancement.
