DKIM Key Rotation Guide

Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
DKIM Key Rotation Guide
Zero-Downtime Key Rotation for Production Email Infrastructure
Version 2026-04 · Cloud Server for Email

Why Rotate DKIM Keys

  • Security: limits exposure if private key is ever compromised
  • Compliance: DMARC best practices recommend annual rotation minimum
  • Operational: required when changing infrastructure providers
  • Google recommends rotating every 6–12 months for bulk senders

Pre-Rotation Checklist

  • Current DKIM selector and domain identified (check mail headers: DKIM-Signature d= and s= tags)
  • Access to DNS provider for sending domain confirmed
  • New key pair generated (see command below)
  • New selector name decided (e.g., if current is "s1", new is "s2" or "key2026")
  • PowerMTA or MTA configuration access confirmed
  • At least 48h allocated before decommissioning old key

Step 1: Generate New Key Pair

# Generate 2048-bit RSA key pair openssl genrsa -out dkim_private_new.pem 2048 openssl rsa -in dkim_private_new.pem -pubout -out dkim_public_new.pem # Extract public key for DNS TXT record (remove headers, join lines) grep -v "^-" dkim_public_new.pem | tr -d "\n" # → Copy this output for the DNS TXT record

Step 2: Publish New DNS Record

Record TypeHostValue
TXTNEW_SELECTOR._domainkey.yourdomain.comv=DKIM1; k=rsa; p=[public key from step 1]
Wait for DNS propagation before proceeding (15 min – 4 hours). Verify: dig TXT new_selector._domainkey.yourdomain.com

Step 3: Configure MTA to Sign with New Key

# PowerMTA: add new dkim-key to config dkim-key new_selector yourdomain.com /path/to/dkim_private_new.pem # Reload without restart pmta reload # Verify new selector in test email headers: # DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=NEW_SELECTOR

Step 4: Verify New Key Works

  • Send test email to Gmail account
  • Check received headers: DKIM-Signature s= tag shows new selector
  • Authentication-Results shows dkim=pass
  • Check MXToolbox DKIM Lookup: new selector passes
  • Wait 48 hours before removing old key (in-flight messages may still carry old signature)

Step 5: Decommission Old Key (After 48h)

  • Remove old dkim-key entry from PowerMTA config
  • Run: pmta reload
  • Keep old DNS TXT record for 30 days (DMARC forensic reports may reference it)
  • After 30 days: delete old selector DNS TXT record
  • Securely delete old private key file
Managed Clients: Cloud Server for Email handles DKIM key rotation for all managed infrastructure clients. Key rotation is scheduled annually and performed by the infrastructure team without client action required.