Back to Course
Լight modeDark mode

DKIM Key Rotation

Why is DKIM key rotation important for your domain’s security?

DKIM key rotation is when you start using a new private/public key pair to sign and authenticate your message—and then stop using the old private/public key pair.

Why is this important? Well, if somebody were able to get access to your private key, they could actually use it to send fraudulent emails that appear to be from you! To prevent this kind of malicious activity, it’s best practice to rotate your keys every few months.

To understand the importance of DKIM key rotation better, let’s take a look at this example: 

Let’s say you send out an email campaign for a holiday sale at your store. You use your DKIM keys to sign your emails, but if you send out enough emails using the same key pair over time, bad actors may eventually intercept and decode one of them, since each message uses the same cryptographic hash algorithm. Once they’ve got your public key, they can start signing their phishing emails with it without you even knowing! That’s why periodic DKIM key rotation is crucial to the security of your domain.

How can you rotate your DKIM keys?

1. Manual DKIM key rotation

You can manually rotate your DKIM keys from time to time by creating new keys for your domain. To do so follow these steps: 

  • Head over to a free DKIM record generator tool
  • Enter your domain’s information and enter the desired DKIM selector of your choice 
  • Hit the “Generate” button 
  • Copy your brand new pair of DKIM keys 
  • The public key is to be published on your DNS, replacing your previous record
  • The private key is to be either shared with your ESP (if you’re outsourcing your emails) or uploaded on your email server (if you handle email transfer on-premise) 

2. Subdomain DKIM key delegation

Domain owners can outsource DKIM key rotation by allowing a third party to handle it for them. This is when the owner of the domain delegates a dedicated subdomain to an email vendor and asks them to generate a DKIM key pair on their behalf. This allows owners to evade the hassle of DKIM key rotation by outsourcing the responsibility to a third party. 

This however can cause policy override problems with DMARC entries. It is recommended that rotated keys are monitored and reviewed by domain controllers to ensure smooth and error-free deployment. 

3. DKIM CNAME key delegation

CNAME stands for canonical name, and are DNS records that are used to point to data of an external domain. CNAME delegation allows domain owners to point to DKIM record information that is maintained by any external third party. This is similar to subdomain delegation since the domain owner is only required to publish a few CNAME records on their DNS, while the DKIM infrastructure and DKIM key rotation are then handled by the third party that the record points to. 

For example, 

“domain.com” is the domain from which originating emails are to be signed, and “third-party.com” is the vendor who will handle the signing process. 

s1._domainkey.domain.com CNAME s1.domain.com.third-party.com

The above-mentioned CNAME record needs to be published in the DNS of the domain owner. 

Now, s1.domain.com.third-party.com already has a DKIM record published on its DNS which can be: s1.domain.com.third-party.com TXT “v=DKIM1; p=MIG89hdg599….”

This information will be used to sign emails originating from domain.com. 

NoteYou need to publish multiple DKIM records (recommended: at least 3 CNAME records) with different selectors on your DNS to enable DKIM key rotation. This will allow your vendor to switch between keys while signing and provide them with alternative options.

4. Automatic DKIM key rotation

Most email vendors and third-party email service providers enable automatic DKIM key rotation for customers. For example, if you are using Office 365 for routing your emails, you will be happy to know that Microsoft supports automatic DKIM key rotation for their Office 365 users. 

We have covered a full document on how to enable DKIM key rotation for your Office 365 emails on our knowledge base. 

Benefits of Automatically rotating your DKIM keys

  • You don’t have to do anything on your part if your vendor allows the automated rotation of DKIM keys. Everything is managed by them. 
  • Manual configurations are prone to human errors.
  • Automatic key rotation is fast and effective, requiring no interference on your part. 
  • The DKIM management system is completely outsourced and handled by a third party.

Deploying a DKIM key rotation strategy

We call it the “3 Ds of DKIM key rotation”: 

  • Discuss 
  • Decide
  • Deploy 

This sums up an effective DKIM key rotation strategy for your domains. When you are availing of any third-party service for your emails and your vendor is handling rotation for you, make sure you have an open and transparent discussion as to when and how frequently you want to rotate your keys. You should have a say regarding timelines as well as the size you want to use for your selector key (whether you want to use 1024 bits or 2048 bits for more security). 

Once the discussion phase passes, you and your vendor must mutually decide on what your strategy is and finally proceed to deploy the same.

Course content
Advanced Email Authentication Course