DKIM rotation, how often?

In the Advancing Your Dmarc Policy article, under the “Next Step: DMARC Maintenance” heading it says…

DKIM keys should be rotated on a regular basis; this could be every few months or annually.

The difference between a few months and a year seems large. How does one decide which is appropriate?

Seems the M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) says at least every 6 months.

DKIM key rotation recommended frequency is typically every 6 months as outlined in the M3AAWG document. However, the feasibility of this practice depends largely on how you manage your DKIM keys.

If you have direct access to your domain’s DNS and can update the DKIM records yourself (TXT records), scheduling a rotation every 6 months is straightforward in most cases. On the other hand, if a third-party vendor manages your DKIM keys, usually through CNAME delegation, the ability to rotate keys depends on the features they offer. Some vendors might have built-in options for automated key rotation or settings that allow for manual updates at the recommended intervals.

To understand what’s possible in your specific case, it’s essential to check the vendor’s documentation or reach out to their support team. They can provide guidance on whether they support DKIM key rotation and, if so, how it can be implemented.

1 Like