The Importance of Rotating Your DKIM Keys

Kate Nowrouzi
Apr. 2, 2013 by Kate Nowrouzi

You wouldn’t hand over your house keys to a perfect stranger. Why not ensure the same level of scrutiny and security for your email systems?

We’ve covered a lot of topics on email security in the past few months. There’s an introduction to the various email authentication standards, an overview of DMARC, an overview of DKIM and best practices in upgrading DKIM keys.

This week’s post is on ensuring the continued security of your systems, by rotating your DKIM keys.


A number of ISPs have declared that they are not accepting keys that are 512-bit or less in 2013. However, these keys have not quite been banished. If you are a major brand charged with protecting the data of your customers, sticking to weak 512-bit keys is simply a high security risk that isn’t worth the possible damage to your brand reputation. It’s imperative to increase your key length to 1024-bit ASAP.

At Message Systems, we ensure that all of our clients are currently using the 1024-bit key. We have supported SPF & DomainKeys since 2004, SenderID & DKIM since 2005 and DMARC since 2012. While the 2048-bit key may be an option, major ISPs in the US are still not able to accept the keys at the moment.

DKIM and DomainKeys: What’s the difference?

Simply put, DKIM is an upgrade to DomainKeys to increase adoption by offering better flexibility and security. There’s a fairly detailed technical comparison on the website.

On DKIM Key Rotation

Aside from ensuring the minimum key length of 1024-bit, it’s equally important that businesses rotate their DKIM Keys every three months. Here’s a quick recap on DKIM keys.

An email authentication method, DKIM Keys verify that a message has not been modified in the transmission process. Domain owners generate a pair of keys: public and private which are used to sign emails on a domain basis. The public key exists as a TXT file in the domain’s DNS record. The private key is kept on the domain’s outgoing mail server.

When emails are sent, the outgoing server appends a digital signature using the private key. This digital signature is added to the Domain Keys-Signature header in the sent mail.

Upon receipt of the email, recipients can verify the signature of DKIM Keys using the public key in the domain’s DNS record. A matching signature means a successful validation.

Rotating DKIM Keys

It’s a best practice to rotate your DKIM Keys every three months. However, many businesses neglect this important step. One of the reasons is because rotating keys is no easy task.

As with all passwords, however, the longer they go unchanged, the higher the risk of it being compromised. Keys are rotated by creating a new {selector, private key, public key} set. If you need help creating DKIM Keys,  try using available CPAN command line tools.

Once the keys have been created, the public key will have to be published in the DNS record, and the outgoing mail server will have to be re-configured to use the new private key. The old key should be kept for a period of 7 days, after which it can be safely removed.

What’s next?

Now that DKIM best practices have been covered, it’s time to turn the spotlight on DMARC. Our own Alec Peterson, Message Systems CTO is part of an all-star cast that presented a webinar on best practices for DMARC. He was joined by Sam Masiello, Application Security at Groupon and Brandon Dingae, Director, Anti-Phishing at ReturnPath. Watch the webinar replay to learn best practices for helping your organization optimize your communications and messaging strategies in the new DMARC email environment.

Don't Deprioritize DMARC webinar


  • Out of curiousity, is there a list of which speicific ISPs still do not accept 2048 bit keys? Is this based on actual data that was current at the time of writing this article, stale data, or just plain speculation? I’m not trying to be rude – I would like to push for using 2048 bit keys for our environment, but it is very large & if there are going to be any issues then we would need specific details instead of guesses & generalities. Noting that Gmail is now 2048 leads me to believe that there should be very few ISPs and other email hosts that are still not capable of validating a 2048 bit key, even if they choose to not utilize them themselves.

    Also, what would a recommended timeframe be for rotating 2048 bit keys? Do you adjust your recommendation if the private key is protected by a FIPS 140-2 level 1,2,3 crypto module or not?


  • I think the “not accepted by some ISPs” assertion is idle speculation. I’ve been using 2048 bit DKIM keys for 18 months now and haven’t seen *any* evidence of DKIM failures. I have DMARC records published and if anyone that does DMARC reporting was failing my DKIM signatures, I’d know about it.

  • Matt,

    Thanks for your comment – I setup 1024 bit keys about a year ago now based on the advice of this article. I’ve since been annoyed by my quarterly reminder to rotate them and have wondered when I might migrate to 2048. I think I’m going to take the plunge…


Related Content

Building an Email Archiving System: Searching and Displaying the Data - Part 4

In the fourth installment of his blog series on building an email archive, Senior Messaging Engineer, Jeff Goldstein explains phase one of the Archive UI.

read more

Sending Personal Health Information (PHI) with SparkPost

Read up on how healthcare organizations might consider sending Personal Health Information (PHI/ePHI) to maintain HIPPA compliance.

read more

What Does It Take to Send Billions of Emails?

High-volume email can be mind-boggling to someone who isn’t steeped in the business. Here’s some real-world advice for tuning Momentum email infrastructure.

read more

Get started and start sending

Try SparkPost and see how easy it is to deliver your app’s email on time and to the inbox.

Try Now

Send this to a friend