The article highlights the need for rotating DKIM (DomainKeys Identified Mail) keys, which act like passwords to ensure email authenticity. DKIM keys use a private-public key pair for digital signatures and can be compromised. It's recommended to rotate them every six months or immediately if breached.
Mailgun offers two DKIM key rotation methods: automatic and manual. Automatic rotation is part of Mailgun's Automatic Sender Security, generating new DKIM selector records every 120 days, requiring CNAME record setup with your DNS provider. This feature can be enabled during new domain setup or switched for existing domains via the DNS records page in Mailgun.
Manual rotation allows users to manage DKIM keys, supporting up to three keys per domain, with options for key generation or import. This involves creating new keys, adding them as TXT records in DNS, and verifying them. For assistance, users can contact Mailgun's Support Team through the Control Panel.
Why rotate my DKIM key?
In simple terms, you can think of your DKIM key as a password for your email messages. It's main purpose is to ensure that the data within an email is authentic and hasn't been tampered with once the sender sends the message. It does so by utilizing a private and public key pair key pair where the private key is used to generate a digital signature which is included in the message at send time, and the receiver (mailbox provider) uses the public key (hosted via a DNS TXT record) to verify the signature, and therefore the message, is authentic.
Just like a password, your DKIM key is vulnerable to compromises and best practices state that you should rotate your DKIM key at least every 6 months, and immediately if your key is compromised.
Mailgun provides two methods for rotating your key: manual and automatic using our Automatic Sender Security feature. We'll talk more about each method below.
Automatic Rotation
Mailgun's Automatic Sender Security feature makes regular rotation of your DKIM key easy. It does so by generating 2 new records that you will delegate back to Mailgun via CNAMEs. The host or name that you will provide your DNS provider will look something like pdk1._domainkey.my.domain.com and pdk2._domainkey.my.domain.com, while the target where you point back to Mailgun will look something like pdk1._domainkey.9d876.dkim1.mailgun.com and pdk2._domainkey.9d876.dkim1.mailgun.com. Automatic Sender Security then generates 2 2048 bit DKIM selector records via TXT records, which are automatically rotated every 120 days. Follow the steps below to enable this feature.
New Sending Domains
When adding a new domain, you will have the option to use Automatic Sender Security under the Advanced settings section:
Once you click on Add domain, you will be taken to the DNS Records page in the Mailgun application where you will see the DNS records you will need to copy and paste into your DNS provider's application. Once this is done, click on the "Check status" button on the top right hand corner of the DNS records page in the Mailgun application and we will verify the records and activate the domain. Please note that this can take some time, depending on your DNS settings (usually 5 minutes or less, but can be as long as 24 hours).
Existing Sending Domains
If you have an existing sending domain already utilizing DKIM via a TXT record and want to switch to using Automatic Sender Security, you can do so from the DNS records page in the Mailgun application using the Actions dropdown in the upper right hand corner of the Sending records section and choose Turn on automatic sender security and then follow the prompts and steps outlined above to enter the proper records at your DNS provider. Keep in mind that we will continue using the existing DKIM record via TXT until the proper CNAME records are in place and have been verified.
Note: When Automatic Sender Security is enabled, manually provisioned DKIM keys remain in the system and their records will still appear. Any active manual keys will be deactivated once the Automatic Sender Security CNAME records are verified. While Automatic Sender Security is enabled, manual keys cannot be activated or deactivated, but they can still be used as secondary keys by domains in your account or manually deleted if desired.
Manual Rotation
Alternatively, you can opt to manually rotate your DKIM keys on your own schedule. Mailgun allows for signing messages with up to 3 DKIM keys. Because multiple DKIM keys can exist for a domain (for example, during key rotation or when additional keys have been created), you may see several DKIM keys listed in the control panel. If multiple active keys are present on a sending domain, then for each message we randomly chose a signing key. It is recommended to maintain one active key at a time and only activate the second during transition.
Follow these steps to add additional keys, rotate, or upgrade your keys from 1024 bit to 2048 bit:
1) Head to the Domain Settings page for your sending domain using the left nav menu, and then click on the DNS records tab.
2) Under the DKIM section, click on the Create new DKIM button on the right hand side of the DKIM table. A New DKIM key modal will pop up:
There are 2 methods for adding a new DKIM key. You can choose to allow Mailgun to generate the DKIM key (most users will choose this method), or you can import an existing key via a valid PEM file (advanced users may choose this method). In either case you'll want to choose a unique selector (must be unique to the sending domain). In the case of allowing Mailgun to generate a DKIM key, you can choose the DKIM key length, either 1024 bit or 2048 bit. 2048 bit is more secure, but can be a bit more complicated to setup as the record length is much longer, and DNS providers require you to split the record into 2 parts.
3) Once you have made your selections, click on Create
4) You will see your new DKIM key listed under the DKIM section of the DNS records page, and it will be in an Unverified status. You will need to copy the key value (click the copy icon for the record under the Enter this value column) and add this as TXT record content for the hostname wherever you manage your DNS. Keep in mind that DNS providers differ in how they want you to enter this information, especially when choosing a 2048 bit key.
5) Once your TXT record is added to your DNS provider, you'll need to verify the record and activate the key. You can either click on the Check status button at the top of the page to re-verify all records and then activate via the gear icon next to the record, or you can click on the gear icon next to the record and click on Activate, which will verify the record, and if the record is verified it will activate the key, meaning Mailgun will start signing messages with this active key.
6) In the case of a key rotation or an upgrade from a 1024 bit key to a 2048 bit key, it is recommended to send a test message to yourself to verify messages are being signed with the new key (you may need to send several test messages), and then delete the old key.
Need Support?
Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!