DKIM key rotation

From: <patpro_at_patpro.net>
Date: Wed, 30 Sep 2015 11:34:21 +0200

Hi,

Many people consider it's best practice to rotate DKIM keys on a regular basis: you create/publish a new key, with a new selector, and start signing. Then after few days, you retire the old key from DNS.
It makes sense, and I'm OK with that. I've even designed a script to rotate and clean DKIM keys on my server. Works great.

Recently I've looked into tons of mail logs. Luckily, they include the selector and domain for every successful DKIM verification. It appears that the big ones (Gmail, Facebook, Yahoo...) don't rotate DKIM keys in any visible way. Not even once in a year.

So is DKIM key rotation only for ultra-paranïods admin?

thanks,
pat
Received on Wed Sep 30 2015 - 09:34:39 PST

This archive was generated by hypermail 2.3.0 : Wed Sep 30 2015 - 09:45:01 PST