Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
DKIM Key Rotation Guide
Zero-Downtime Key Rotation for Production Email Infrastructure
Version 2026-04 · Cloud Server for Email
Why Rotate DKIM Keys
- Security: limits exposure if private key is ever compromised
- Compliance: DMARC best practices recommend annual rotation minimum
- Operational: required when changing infrastructure providers
- Google recommends rotating every 6–12 months for bulk senders
Pre-Rotation Checklist
- Current DKIM selector and domain identified (check mail headers: DKIM-Signature d= and s= tags)
- Access to DNS provider for sending domain confirmed
- New key pair generated (see command below)
- New selector name decided (e.g., if current is "s1", new is "s2" or "key2026")
- PowerMTA or MTA configuration access confirmed
- At least 48h allocated before decommissioning old key
Step 1: Generate New Key Pair
# Generate 2048-bit RSA key pair
openssl genrsa -out dkim_private_new.pem 2048
openssl rsa -in dkim_private_new.pem -pubout -out dkim_public_new.pem
# Extract public key for DNS TXT record (remove headers, join lines)
grep -v "^-" dkim_public_new.pem | tr -d "\n"
# → Copy this output for the DNS TXT record
Step 2: Publish New DNS Record
| Record Type | Host | Value |
|---|---|---|
| TXT | NEW_SELECTOR._domainkey.yourdomain.com | v=DKIM1; k=rsa; p=[public key from step 1] |
Wait for DNS propagation before proceeding (15 min – 4 hours). Verify:
dig TXT new_selector._domainkey.yourdomain.comStep 3: Configure MTA to Sign with New Key
# PowerMTA: add new dkim-key to config
dkim-key new_selector yourdomain.com /path/to/dkim_private_new.pem
# Reload without restart
pmta reload
# Verify new selector in test email headers:
# DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=NEW_SELECTOR
Step 4: Verify New Key Works
- Send test email to Gmail account
- Check received headers: DKIM-Signature s= tag shows new selector
- Authentication-Results shows dkim=pass
- Check MXToolbox DKIM Lookup: new selector passes
- Wait 48 hours before removing old key (in-flight messages may still carry old signature)
Step 5: Decommission Old Key (After 48h)
- Remove old dkim-key entry from PowerMTA config
- Run: pmta reload
- Keep old DNS TXT record for 30 days (DMARC forensic reports may reference it)
- After 30 days: delete old selector DNS TXT record
- Securely delete old private key file
Managed Clients: Cloud Server for Email handles DKIM key rotation for all managed infrastructure clients. Key rotation is scheduled annually and performed by the infrastructure team without client action required.