DKIM Key Rotation: Best Practices and How-To Guide for NZ Businesses

If you've set up DKIM (DomainKeys Identified Mail) for your domain, congratulations — you're already ahead of many New Zealand businesses when it comes to email authentication. But here's the catch: setting up DKIM isn't a 'set and forget' task. Like any cryptographic key, DKIM keys need to be rotated regularly to keep your email secure and trustworthy.

In this guide, we'll explain why DKIM key rotation matters, how often to do it, and walk you through the exact steps to rotate your DKIM keys without disrupting email delivery.

Why DKIM Key Rotation Matters

DKIM uses public-key cryptography to sign your outbound emails, proving they genuinely came from your domain and haven't been tampered with in transit. The private key sits with your email provider (like Microsoft 365, Google Workspace, or your marketing platform), while the public key is published in your DNS.

Over time, keys can become compromised through:

• Data breaches at email service providers
• Leaked credentials from former employees or contractors
• Advances in computing power that weaken shorter keys
• Accidental exposure via misconfigured systems or backups

A compromised DKIM key allows attackers to send authenticated phishing emails appearing to come from your domain — a nightmare scenario for any Kiwi business trying to protect its brand and customers.

How Often Should You Rotate DKIM Keys?

Industry best practice, including guidance from M3AAWG (the Messaging, Malware and Mobile Anti-Abuse Working Group), recommends:

• Every 6 months for most businesses
• Every 3 months for high-risk industries (finance, healthcare, government)
• Immediately if you suspect a compromise or after a major provider incident

For reference, New Zealand government agencies following NZISM guidelines are typically expected to rotate cryptographic keys on a defined schedule — DKIM is no exception.

DKIM Key Length: 1024 vs 2048 Bits

Before rotating, make sure you're upgrading to a strong key. The current recommendation is 2048-bit RSA keys. Older 1024-bit keys are still acceptable but are being phased out across the industry.

# Example DKIM DNS record (2048-bit)
selector1._domainkey.yourcompany.co.nz TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Note: 2048-bit keys can exceed the 255-character TXT record limit and must be split into multiple quoted strings within a single record.

Best Practices for DKIM Key Rotation

1. Use Multiple Selectors

DKIM allows multiple active keys through different selectors (e.g., selector1, selector2, s1-2024, s2-2024). This makes rotation seamless — you can publish a new key while the old one still validates in-flight messages.

2. Overlap the Old and New Keys

Never delete the old key immediately. Emails can sit in queues or receiver systems for hours or even days. Keep both keys published during a transition window.

3. Document Your Rotation Schedule

Track which selectors are in use, when they were rotated, and which services use which keys. A simple spreadsheet works fine for small teams.

4. Rotate Per Sending Source

If you use multiple email platforms (e.g., Microsoft 365 for staff, Mailchimp for newsletters, Xero for invoices), each will have its own DKIM key and selector. Rotate them independently.

Step-by-Step: How to Rotate DKIM Keys

Here's the general process. Specific steps vary by provider, but the logic is the same.

Step 1: Generate a New DKIM Key

Log into your email provider's admin console and generate a new DKIM key with a new selector name. For example, if your current selector is selector1, name the new one selector2 or include a date like s2025-01.

For Microsoft 365:

1. Go to the Microsoft Defender portal → Email & collaboration → Policies & rules → Threat policies → DKIM
2. Select your domain and click Rotate DKIM keys

For Google Workspace:

1. Go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email
2. Generate a new DKIM key (choose 2048-bit)

Step 2: Publish the New Public Key in DNS

Your provider will give you a new DNS TXT record. Add it to your DNS without removing the old one:

selector2._domainkey.yourcompany.co.nz TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA<new-key>..."

Common NZ DNS providers like SiteHost, 1st Domains, Freeparking, DNSimple, and Cloudflare all support TXT records through their control panels.

Step 3: Verify DNS Propagation

Wait 15 minutes to a few hours for DNS to propagate, then verify using a tool like xteam's MailCheck, or via command line:

dig TXT selector2._domainkey.yourcompany.co.nz

You should see your new public key returned.

Step 4: Activate the New Key

In your email provider's admin console, switch the active signing selector to the new one. Send a test email to yourself and check the headers — you should see:

DKIM-Signature: v=1; a=rsa-sha256; d=yourcompany.co.nz; s=selector2; ...

Step 5: Keep the Old Key Live for 1–2 Weeks

Leave the old DNS record in place for at least 7–14 days. This ensures any emails still in transit or stored in recipient systems can still be validated.

Step 6: Remove the Old Key

Once the overlap period has passed, delete the old TXT record from your DNS. Update your internal documentation with the rotation date and next scheduled rotation.

Common DKIM Rotation Pitfalls

• Forgetting third-party senders. If your accountant sends invoices via a platform like Xero, or your marketing goes through HubSpot, each needs its own DKIM rotation.
• Removing the old key too soon. This causes DKIM failures for in-flight emails.
• Using weak keys. Always use 2048-bit RSA keys.
• Not monitoring DMARC reports. After rotation, watch your DMARC aggregate reports to confirm DKIM is still aligning correctly.

Check Your DKIM Setup with xteam MailCheck

Not sure if your DKIM is configured correctly, or when it was last rotated? Our free MailCheck tool analyses your domain's SPF, DKIM, DMARC, and BIMI records in seconds — and flags weak keys, missing selectors, and common misconfigurations.

It's built for New Zealand businesses who want straightforward, actionable email security insights without wading through technical jargon. Give it a try and make DKIM rotation part of your regular security hygiene.