• DKIM
  • email security
  • o365

What is DKIM key rotation and why is it important?

The practice of periodic DKIM key rotation strengthens email security and prevents phishing, fraud, and impersonation attacks planned in your business’ name. Leaving your DKIM keys unchanged for a long time could allow attackers to exploit your email-sending domain for attempting malicious activities. 

Since DKIM key rotation is critical to your overall email security efforts, it’s important to understand its significance and best practices. 

What does DKIM stand for, and what does DKIM do?

DKIM stands for DomainKeys Identified Mail, and is an email authentication method that works on the concept of cryptography. The DKIM signatures within email message headers improve email deliverability and security by filtering out fake emails and processing genuine emails. 

To begin implementing, you need to create a pair of public and private DKIM keys for your domain and DKIM record. The public DKIM key is updated to DNS for open access so that recipients’ mailboxes can use it for verification. On the other hand, the private DKIM key is stored secretly on your end.

Now that you know the DKIM meaning and involvement of the keys, let’s move to understanding about a DKIM selector.

What is a DKIM Selector?

A DKIM selector is a string pointing to a certain public key in your DKIM record. You use an ‘s=’ tag in a signature header field that can be seen in a DKIM email’s technical header.

Recipients’ validators use selectors in combination with the signing domain for locating and retrieving the public key in your DNS. 

Why is DKIM Key Rotation Important?

You can rotate DKIM keys by simply replacing the old pair with a new one to authenticate DKIM emails. If a threat actor steals or deciphers your private key, they won’t be able to use them for long if you do regular DKIM key rotation.

Moreover, this practice ensures that signatures are updated, which increases your domain’s email deliverability rate or the ability of your emails to reach the desired recipients’ primary inboxes.

How Often Should DKIM Keys be Rotated?

It’s generally suggested to rotate DKIM keys every 6 to 12 months. However, this isn’t a fixed time period since multiple factors decide the frequency that best suits your domain. Frequent rotation averts hackers from intercepting and decoding your cryptographic keys, but operational limitations can prevent this from happening. While on the other hand, delayed frequency (say, once every couple of years) makes your domain more susceptible to the risk of intercepted or decoded keys.

How Do You Rotate DKIM Keys?

There are a few options to practice DKIM key rotation for enhanced email security. But ensure running your record through a DKIM checker to validate it. 

Manual

You can perform manual rotation by making some changes in your DKIM record, note this only applies if you have access to replace the private key:

  • Open a DKIM record generator and enter your domain name, followed by mentioning the DKIM selector you want to use.
  • You’ll receive the keys to publish on your DNS, replacing the previous record.
  • Lastly, share the private key with your email service provider or upload it on your mail server if you manage email transfer on-premise.

Subdomain Delegation

Third-party vendors can periodically rotate DKIM keys for your domain, enabling you to shift your attention to other tasks and get evaded from DKIM management and maintenance responsibilities. Red Sift’s dedicated OnDMARC platform can take charge of all the hassle on your behalf and ensure overall email protection. 

CNAME Delegation

CNAME delegation enables domain owners to direct to DKIM record information handled by a third-party vendor. It’s similar to subdomain delegation as you just have to publish some CNAME records on your DNS and the hired third party will handle the key rotation process.

Automatic

Some email vendors and external email service providers offer automatic DKIM key rotation for users. This saves the time spent in zeroing down, troubleshooting, and coordinating remediates for overall DKIM errors.

It’s suggested to rotate DKIM keys using automation over the manual method as the latter is prone to human errors and delays. On the other hand, automatic rotation is faster, effective, and requires minimum involvement of yours.

Best Practices When Rotating DKIM Keys

Following are among the top DKIM key rotation best practices:

  • Rotate your DKIM keys periodically; preferably once every 6 months.
  • Standardize the DKIM key rotation process for your domain to avoid errors, delays, and redundancies. 
  • Align key activities like key generation and depreciation for a smooth transition at each rotation period.
  • Be prepared for emergency key rotation by pre-publishing the next public key. This is for situations where you detect compromisation of your key pairs. 
  • Perform regular audits of your DKIM key rotation. As DKIM key rotation best practice, it’s advised to plan audits shortly after a rotation.

How to View and Rotate DKIM Keys in Microsoft Office 365?

To rotate DKIM keys in Office 365, begin by checking if the keys are enabled for rotation. Then follow these steps-

  • Sign in to Microsoft 365 Defender portal.
  • Go to Email & Collaboration.
  • Click Policies & Rules.
  • Click on Threat Policies.

Click Email authentication settings

Choose DKIM

  • Choose your domain name.
  • Slide the toggle from Disabled to Enabled.
  • Click on Rotate DKIM keys.

How to Rotate DKIM Keys in Google Workspace?

It’s a bit complicated to rotate DKIM keys in Google Workspace as the domain administrator has to generate a new key, add it to the DNS, and then validate it from the Google admin console. Follow these steps to produce a new DKIM key in Google Workspace:

  1. Go to your Google Admin Console.
  2. Go to Menu > Apps > Google Workspace > Gmail.
  3. Click Authenticate email.
  4. Choose the domain for which you’ve to generate the new key.
  5. Click on Generate New Record button.
  6. From the Select DKIM key bit length drop-down, choose 2048. 
  7. Delete the old keys from the DNS before publishing the new ones.
  8. Click Generate.

Once you publish the new DKIM key to your DNS, you need to go back to the Authenticate email page in the Google Admin Console, click Start Authentication, and you’re done. 

If you’re still skeptical about DKIM practices and management, then head out to our investigate tool to know about errors and ways to fix them.

PUBLISHED BY

Red Sift

9 Aug. 2023

SHARE ARTICLE:

Categories

Email

Related articles

Red Sift ASM & Red Sift Certificates: the missing link in your CTEM strategyThe best tools to protect yourself from SubdoMailingRed Sift’s Spring 2024 Quarterly Product ReleaseNavigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a new risk to our customer baseWhere are we now? One month of Google and Yahoo’s new requirements for bulk senders

Recent Posts

VIEW ALL
ASM
24 Apr. 2024

Red Sift ASM & Red Sift Certificates: the missing link in your…

Billy McDiarmid

According to Gartner, Attack Surface Management (ASM) refers to the “processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud services and servers.” This broad category of tooling is used within Continuous Threat Exposure Management (CTEM) programs, with many vendors within it having…

Read more
Email
28 Mar. 2024

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release
21 Mar. 2024

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email
12 Mar. 2024

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Red Sift Logo

PLATFORM

The Red Sift Pulse Platform

Internet-scale cybersecurity intelligence meets trusted AI.
OnDMARC

Protect against phishing and BEC attacks.
Brand Trust

Stop brand abuse, fraud and lookalike attacks.
ASM

Continuously discover and manage external-facing and cloud assets.
Certificates

Real-time discovery and seamless monitoring for certificates.

INNOVATION

CUSTOMERS

Resources

Company