Blog
DKIM Key Rotation — How to Rotate Without Breaking Email
Rotation is a two-key problem: receivers must find a valid key while signers might still use the old one for minutes.
- Create new selector in ESP / mail server.
- Publish new DNS TXT (or CNAME).
- Verify with dig / Preflight.
- Switch signing to new selector in app.
- Monitor — then remove old DNS.
FAQ
Publish new or delete old first?
Publish new selector — overlap — then remove old after TTL + send volume.
How long overlap?
Often 48-168 hours depending on mail volume and ESP defaults.
1024 to 2048?
Generate 2048 — publish new selector — flip signing — retire 1024.
What if I delete old first?
Instant dkim=fail for in-flight mail.
Where documented?
<a href="/fix/dkim/rotate-keys/">Rotate DKIM keys</a> fix page.