Upgrading and Rotating DKIM Keys

As many of our customers know, email delivery is the core of our business. A big part of ensuring that your emails get to the inbox is email authentication, such as DKIM and SPF. A recent change in Gmail/Google now requires that DKIM keys are at least 1024-bit in length. When Postmark first launched a few years ago, we started with 768-bit keys, which now results in Gmail showing DKIM as “weak” and displaying a “via” tag. Fortunately inbox rates are not affected.

As a temporary solution, we’ve been slowly upgrading keys manually for customers. It’s been a painful and very manual process. In an effort to make it easy to upgrade your DKIM keys, we’ve created a new process that allows you to automatically generate a new (and stronger) key pair for your domains. We worked hard to make the process as easy as possible.

Generating a new key pair #

If your account contains “weak” keys you already received an email from us with instructions on how to generate a new key pair for each domain. If not, the process is pretty easy. Here are the steps:

  1. Go to your Sender Signatures page and look for the “Weak DKIM” badge. Click on the “Setup” link.
Make sure your DKIM signature is strong on the Postmark Sender Signature page
  1. Click on “Generate a new key” below the existing DKIM key
Generate a new DKIM key in Postmark
  1. Create a new subdomain host and insert the TXT value in your DNS. Note: The selector is different.

After that, Postmark will check if the new key is visible in DNS. When it is, the new key will be active and your messages will be signed with the new, stronger DKIM key. The process does not require downtime or interruptions with DKIM signing.

What about newly created sender signatures? #

If you created a sender signature in the last four months there is no need to update to a stronger key. Any new sender signatures already have the strong 1024-bit keys. The only domains you should worry about are the ones listed as “Weak DKIM” in your Sender Signatures page.

Should I delete the old DKIM record in DNS? #

DKIM keys are just like any other key based authentication, so we do recommend revoking old keys. After a few days of the new key being active, it is safe to delete the old record from DNS or simply delete anything after the “p=” in the TXT value.

Rotate your keys quarterly #

When we decided that customers needed to upgrade their keys we could have simply generated new keys and left it at that. However, according to the DKIM standard, it is recommend to rotate your keys quarterly. This new process in Postmark allows you to easily rotate keys with zero downtime in message signing. We didn’t want to just fix the problem, we wanted to improve the process.

This post was originally published May 24, 2013

Join 28,000 subscribers and get monthly tips, product announcements, and expert interviews.