Why should I rotate my DKIM keys?
DKIM is a cryptographic protocol involving private and public key pairs used to authenticate email.
- The private key is known only to you, the sender, and used to "sign" your email.
- The public key is published in DNS for a particular domain and used by mailbox providers to verify your signed email.
If a third-party stole or deciphered your private key, they could "sign" their spam or phishing email with your valid DKIM signature. Negative data signals gathered from those spam or phishing emails then become associated to your domain, causing deliverability problems for your email.
Rotating DKIM keys renders old keys worthless, providing an extra layer of security to help you maintain good deliverability.
How frequently should I rotate DKIM keys?
You need to decide on a frequency that works best for your business by weighing your risk level, your email program's complexity, the resources needed to update the keys, and your internal security policies.
Some general guidelines are listed below:
- M3AAWG's recommendation for most senders is to rotate keys every 6 months as a best practice.
- Lower-risk senders (i.e. low volume, infrequent senders, local and regional brands) should rotate keys at least once per year if every 6 months is not achievable.
- Higher-risk senders (i.e. high volume, frequent senders, global brands, government agencies, banking and finance businesses) should rotate keys monthly or quarterly.
- If you detect a system security breach prior to your scheduled rotation date, it is recommended to rotate your DKIM keys early as a precaution.
Resources
For additional information and detail about the importance of rotating DKIM keys, please read:
- Keep Spinning Those Plates - DKIM Key Rotation (Proofpoint)
