We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

Return to Mailgun.com

How do I rotate my DKIM key?

  1. Mailgun Help Center
  2. Mailgun Help Center
  3. DNS
How do I rotate my DKIM key?

Mailgun allows for signing messages with up to 3 DKIM keys. If multiple active keys are present on a sending domain, we use a round-robin method for determining which key is used to send the message.

 

Follow these steps to add additional keys, rotate, or upgrade your keys from 1024 bit to 2048 bit:

1) Head to the Domain Settings page for your sending domain using the left nav menu, and then click on the DNS records tab.

2) Under the DKIM section, click on the Create new DKIM button on the right hand side of the DKIM table. A New DKIM key modal will pop up:

There are 2 methods for adding a new DKIM key. You can choose to allow Mailgun to generate the DKIM key (most users will choose this method), or you can import an existing key via a valid PEM file (advanced users may choose this method). In either case you'll want to choose a unique selector (must be unique to the sending domain). In the case of allowing Mailgun to generate a DKIM key, you can choose the DKIM key length, either 1024 bit or 2048 bit. 2048 bit is more secure, but can be a bit more complicated to setup as the record length is much longer, and DNS providers require you to split the record into 2 parts.

3) Once you have made your selections, click on Create

4) You will see your new DKIM key listed under the DKIM section of the DNS records page, and it will be in an Unverified status. You will need to copy the key value (click the copy icon for the record under the Enter this value column) and add this as TXT record content for the hostname wherever you manage your DNS. Keep in mind that DNS providers differ in how they want you to enter this information, especially when choosing a 2048 bit key.

5) Once your TXT record is added to your DNS provider, you'll need to verify the record and activate the key. You can either click on the Verify DNS settings button at the top of the page to verify the record and then activate via the gear icon next to the record, or you can click on the gear icon next to the record and click on Activate, which will verify the record, and if the record is verified it will activate the key, meaning Mailgun will start signing messages with this active key.

6) In the case of a key rotation or an upgrade from a 1024 bit key to a 2048 bit key, it is recommended to send a test message to yourself to verify messages are being signed with the new key (you may need to send several test messages), and then delete the old key.

Got Questions?

Mailgun by Sinch has answers! If you have any concerns or questions, please send us a Support ticket using the Support page within your Mailgun Control Panel.  Our Support Team will be happy to assist!

Related articles

All systems go

Mailgun seems to be fully operational with no issues.

Small outage

It appears one of our services is having difficulty.

There's a problem

It appears one of our services is having difficulty.

Documentation

Our elegant API docs answer lots of questions.

Our blog

Walkthroughs & tutorials directly from our team.

Other Helpful Resources

Try StackOverflow

Our robust community of colleagues answers plenty of questions every single day.

Submit a support ticket

If our Q&A hasn’t helped and your issue seems to be unique, submit a support ticket and we’ll help!