DKIM Key Rotation in Google Workspace

From blog.redsift[.]com post on dkim rotation in Google Workspace…

  1. Click on Generate New Record button.
  2. From the Select DKIM key bit length drop-down, choose 2048.
  3. Delete the old keys from the DNS before publishing the new ones.

Seems like there will be some lag between deleting the old and publishing the new key. Should one pause DMARC by temporarily changing the policy while waiting for the new key to propagate?

Hi BSCWebmaster

In my understanding, DKIM key rotation is easier when / unfeasible without employing two selectors / key records in DNS.

That is because DKIM signing, and thus the corresponding public key must be valid, available, and verifiable from when the mail is signed and sent, until it’s received and validated by the recipent’s mail server. Factoring in allowable delays, the mail transport through a number of servers MAY take several days, so you cannot (should not) delete an old DKIM public key until your new key has been used instead of the old key for some days.

So, when rotating a DKIM key you’d make a new key pair, and use that with a separate selector for a number of days before decommissioning/invalidating/deleting the DNS record for the selector for the old key pair being rotated out. If you wish, you can repeat the process to roll back to using your primary selector with new keys.

1 Like