DKIM fix

DKIM Key Rotation — Best Practice Guide

Rotate DKIM without taking mail down: ship the new TXT first, let DNS settle, point signing at the new selector, then retire the old TXT after a quiet week.

Timeline (example)

Day 1: Publish new key with a new selector
Day 2–3: Verify new key globally via DNS Preflight
Day 3: Switch signing to the new selector in your provider
Day 7: Remove old key TXT after queues clear

Steps (HowTo)

Step 1 (Day 1) Publish new key with new selector — keep old TXT in place

Step 2 (Day 2–3) Verify new key in DNS Preflight from multiple vantage points if available

Step 3 (Day 3) Switch signing to the new selector

Step 4 (Day 7) Remove old selector's TXT record

Step 5 Monitor DMARC aggregate reports for dkim=pass rates

Verify keys in DNS

Open DNS Preflight →

Related glossary: DKIM · Key length

FAQ

How often to rotate?

Typically yearly or on policy/incident — not on a fixed calendar for all orgs.

Rotation without downtime?

Overlap DNS keys; only remove the old key after signing has moved.

Multiple keys during transition?

Yes — both selectors can exist in DNS during overlap.

In-flight email?

Old signatures verify until you delete the old public key.

When is rotation required?

Compromise, key length upgrades, or compliance requirements.

← All DKIM fix guides

Open DNS Preflight and re-check your zone →