DKIM key rotation

From: <>
Date: Wed, 30 Sep 2015 11:34:21 +0200


Many people consider it's best practice to rotate DKIM keys on a regular basis: you create/publish a new key, with a new selector, and start signing. Then after few days, you retire the old key from DNS.
It makes sense, and I'm OK with that. I've even designed a script to rotate and clean DKIM keys on my server. Works great.

Recently I've looked into tons of mail logs. Luckily, they include the selector and domain for every successful DKIM verification. It appears that the big ones (Gmail, Facebook, Yahoo...) don't rotate DKIM keys in any visible way. Not even once in a year.

So is DKIM key rotation only for ultra-paran´ods admin?

Received on Wed Sep 30 2015 - 09:34:39 PST

This archive was generated by hypermail 2.3.0 : Wed Sep 30 2015 - 09:45:01 PST