We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

How can I rotate my DKIM key?

Article Preview


    Mailgun allows for signing messages with up to 3 DKIM keys. If multiple active keys are present on a sending domain, we use a round-robin method for determining which key is used to send the message.


    Rotating the DKIM key

    Follow these steps to add additional keys, rotate, or upgrade your keys from 1024 bit to 2048 bit:

    1) Head to the Domain Settings page for your sending domain using the left nav menu, and then click on the DNS records tab.

    2) Under the DKIM section, click on the Create new DKIM button on the right hand side of the DKIM table. A New DKIM key modal will pop up:

    There are 2 methods for adding a new DKIM key. You can choose to allow Mailgun to generate the DKIM key (most users will choose this method), or you can import an existing key via a valid PEM file (advanced users may choose this method). In either case you'll want to choose a unique selector (must be unique to the sending domain). In the case of allowing Mailgun to generate a DKIM key, you can choose the DKIM key length, either 1024 bit or 2048 bit. 2048 bit is more secure, but can be a bit more complicated to setup as the record length is much longer, and DNS providers require you to split the record into 2 parts.

    3) Once you have made your selections, click on Create

    4) You will see your new DKIM key listed under the DKIM section of the DNS records page, and it will be in an Unverified status. You will need to copy the key value (click the copy icon for the record under the Enter this value column) and add this as TXT record content for the hostname wherever you manage your DNS. Keep in mind that DNS providers differ in how they want you to enter this information, especially when choosing a 2048 bit key.

    5) Once your TXT record is added to your DNS provider, you'll need to verify the record and activate the key. You can either click on the Verify DNS settings button at the top of the page to verify the record and then activate via the gear icon next to the record, or you can click on the gear icon next to the record and click on Activate, which will verify the record, and if the record is verified it will activate the key, meaning Mailgun will start signing messages with this active key.

    6) In the case of a key rotation or an upgrade from a 1024 bit key to a 2048 bit key, it is recommended to send a test message to yourself to verify messages are being signed with the new key (you may need to send several test messages), and then delete the old key.


    Need Support?

    Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support section of your Mailgun Control Panel, and we'll be with you shortly!