From blog.redsift[.]com post on dkim rotation in Google Workspace…
- Click on Generate New Record button.
- From the Select DKIM key bit length drop-down, choose 2048.
- Delete the old keys from the DNS before publishing the new ones.
Seems like there will be some lag between deleting the old and publishing the new key. Should one pause DMARC by temporarily changing the policy while waiting for the new key to propagate?
Hi BSCWebmaster
In my understanding, DKIM key rotation is easier when / unfeasible without employing two selectors / key records in DNS.
That is because DKIM signing, and thus the corresponding public key must be valid, available, and verifiable from when the mail is signed and sent, until it’s received and validated by the recipent’s mail server. Factoring in allowable delays, the mail transport through a number of servers MAY take several days, so you cannot (should not) delete an old DKIM public key until your new key has been used instead of the old key for some days.
So, when rotating a DKIM key you’d make a new key pair, and use that with a separate selector for a number of days before decommissioning/invalidating/deleting the DNS record for the selector for the old key pair being rotated out. If you wish, you can repeat the process to roll back to using your primary selector with new keys.
Best practice seems to be creating multiple keys and cycling them out over time, so that the old key doesn’t get retired until the new key is actively authenticating mail. However, Google only allows you one key at a time and turns off authentication as soon as you generate the new TXT record. The alert from the Google Workspace DKIM interface…
If you are currently authenticating email from this domain, generating a new TXT record will stop authentication until you restart it and wait for DNS to update.
I’m confused by the last bit: “until you restart it and wait for DNS to update.” I want to wait for DNS to update before I restart it, right? And while waiting I should expect SPAM to spike, yeah?
Seems like a less-than-optimal service Google’s providing there.
I also asked this question in the Google Support forum: What is the step by step procedure for rotating DKIM keys in the Google Workspace? - Google Workspace Admin Community and it looks like most will simply have to accept an interruption of authentication when rotating DKIM keys in the Google Workspace.
A possible exception to this may be if one is using Squarespace for DNS. As it says here: Set up DKIM - Google Workspace Admin Help…
If your domain provider is Google Domains or Squarespace, Google automatically creates a DKIM key and adds the key to your domain’s DNS records.
Google Domains is no more and that service was passed to Squarespace, and so I think that means: any Google Workspace user that does not use Squarespace for DNS will simply have to stop authenticating for as long as it takes the new DKIM key to propagate.
It would be great to discover I am wrong, so if anyone has the solution please share!
