Email health
DKIM key rotation
DKIM keys aren't fire-and-forget. Rotate at least annually, retire old selectors, and use 2048-bit RSA. The mechanics are spelled out in RFC 6376 §3.1.
What it is
Operational practice for DKIM keys — RFC 6376 §3.1 explicitly designs `selector` to enable seamless rotation: publish a new selector, switch signing to it, leave the old selector in DNS until in-flight mail clears, then remove. M3AAWG and major ESPs recommend rotation at least annually with a 2048-bit minimum key length.
Why it matters
Static keys accumulate exposure: if a single host is compromised the attacker can sign mail as your domain indefinitely. Gmail's bulk-sender requirements call for 1024-bit minimum; 2048-bit is the practical baseline in 2026. Rotation also forces verification that signing is actually working.
Who it applies to
Every domain that signs outbound mail with DKIM.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 2 | DKIM signing | live |
Related standards
- See also
- DKIM , Bulk-sender 2024
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
Examples
; old selector still resolves while in-flight mail clears
2025q4._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBI..."
; new selector — signing switched here
2026q2._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBI..."Quarterly selectors make rotation a calendar event, not a fire drill. Remove the old record after 7–14 days.