Why rotate my DKIM key?

In simple terms, you can think of your DKIM key as a password for your email messages. It's main purpose is to ensure that the data within an email is authentic and hasn't been tampered with once the sender sends the message. It does so by utilizing a private and public key pair key pair where the private key is used to generate a digital signature which is included in the message at send time, and the receiver (mailbox provider) uses the public key (hosted via a DNS TXT record) to verify the signature, and therefore the message, is authentic.

Just like a password, your DKIM key is vulnerable to compromises and best practices state that you should rotate your DKIM key at least every 6 months, and immediately if your key is compromised.

Mailgun provides two methods for rotating your key: manual and automatic using our Automatic Sender Security feature. We'll talk more about each method below.

Automatic Rotation

Mailgun's Automatic Sender Security feature makes regular rotation of your DKIM key easy. It does so by generating 2 new records that you will delegate back to Mailgun via CNAMEs. The host or name that you will provide your DNS provider will look something like pdk1._domainkey.my.domain.com and pdk2._domainkey.my.domain.com, while the target where you point back to Mailgun will look something like pdk1._domainkey.9d876.dkim1.mailgun.com and pdk2._domainkey.9d876.dkim1.mailgun.com. Automatic Sender Security then generates 2 2048 bit DKIM selector records via TXT records, which are automatically rotated every 120 days. Follow the steps below to enable this feature.

New Sending Domains

When adding a new domain, you will have the option to use Automatic Sender Security under the Advanced settings section:

Once you click on Add domain, you will be taken to the DNS Records page in the Mailgun application where you will see the DNS records you will need to copy and paste into your DNS provider's application. Once this is done, click on the Verify button on the top right hand corner of the DNS records page in the Mailgun application and we will verify the records and activate the domain. Please note that this can take some time, depending on your DNS settings (usually 5 minutes or less, but can be as long as 24 hours).

Existing Sending Domains

If you have an existing sending domain already utilizing DKIM via a TXT record and want to switch to using Automatic Sender Security, you can do so from the DNS records page in the Mailgun application using the Actions dropdown in the upper right hand corner of the Sending records section and choose Turn on automatic sender security and then follow the prompts and steps outlined above to enter the proper records at your DNS provider. Keep in mind that we will continue using the existing DKIM record via TXT until the proper CNAME records are in place and have been verified.

Manual Rotation

Alternatively, you can opt to manually rotate your DKIM keys on your own schedule. Mailgun allows for signing messages with up to 3 DKIM keys. If multiple active keys are present on a sending domain, we use a round-robin method for determining which key is used to send the message.

Follow these steps to add additional keys, rotate, or upgrade your keys from 1024 bit to 2048 bit:

1) Head to the Domain Settings page for your sending domain using the left nav menu, and then click on the DNS records tab.

2) Under the DKIM section, click on the Create new DKIM button on the right hand side of the DKIM table. A New DKIM key modal will pop up:

There are 2 methods for adding a new DKIM key. You can choose to allow Mailgun to generate the DKIM key (most users will choose this method), or you can import an existing key via a valid PEM file (advanced users may choose this method). In either case you'll want to choose a unique selector (must be unique to the sending domain). In the case of allowing Mailgun to generate a DKIM key, you can choose the DKIM key length, either 1024 bit or 2048 bit. 2048 bit is more secure, but can be a bit more complicated to setup as the record length is much longer, and DNS providers require you to split the record into 2 parts.

3) Once you have made your selections, click on Create

4) You will see your new DKIM key listed under the DKIM section of the DNS records page, and it will be in an Unverified status. You will need to copy the key value (click the copy icon for the record under the Enter this value column) and add this as TXT record content for the hostname wherever you manage your DNS. Keep in mind that DNS providers differ in how they want you to enter this information, especially when choosing a 2048 bit key.

5) Once your TXT record is added to your DNS provider, you'll need to verify the record and activate the key. You can either click on the Verify DNS settings button at the top of the page to verify the record and then activate via the gear icon next to the record, or you can click on the gear icon next to the record and click on Activate, which will verify the record, and if the record is verified it will activate the key, meaning Mailgun will start signing messages with this active key.

6) In the case of a key rotation or an upgrade from a 1024 bit key to a 2048 bit key, it is recommended to send a test message to yourself to verify messages are being signed with the new key (you may need to send several test messages), and then delete the old key.

Need Support?

Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!