Set up DMARC and see who's sending email using your brand's domain.
Try DMARC Digests today →
x

How often should I generate/rotate a new DKIM key?

We suggest you generate a new DKIM key for your sending domain within Postmark at least once every 3 months.

📋 In This Article:

How do I generate a new DKIM key?#

You can generate a new DKIM key either within your Postmark account, or by using our API

In the Postmark account#

  1. Login to your Postmark account.
  2. Go to the Sender Signatures tab.

    ⚠️ If you are not seeing the Sender Signatures tab at the top of your Postmark account, you may not have user access to view it – reach out to your account owner for clarification.
  3. Click the blue DNS Settings link next to the domain in question.
  4. There you can click the Generate New button under the existing DKIM key.
  5. Use the newly generated DKIM key and selector to set up a new TXT record within your DNS provider's settings.

    💡 We have some examples here on how to add DKIM records to various DNS providers, if needed. 
  6. Once added in your DNS provider settings, return to your Postmark account and click the Verify button next to your newly generated DKIM key.
  7. When it shows as verified, new messages sent through Postmark using that domain will be signed with your newly generated DKIM key. We will revoke the original DKIM key so that it’s no longer used for signing your emails.


    ⏲️ Optional: You can wait a few days before deleting the original TXT record from your domain’s DNS settings. This allows any messages that were sent using the previous DKIM key to arrive in recipient inboxes.

Via the API#

  1. Use our Rotate DKIM keys endpoint to generate a new DKIM key for your domain.

    ⚠️ If you’re not sure what your domain’s domainid is, you can use our List domains endoint to pull a list of your domains, which will include its domainid.
  2. The API response will contain your new DKIM value (DKIMPendingTextValue) and selector (DKIMPendingHost)
  3. Use the newly generated DKIM value and selector to set up a new TXT record within your DNS provider's settings.

    💡 We have some examples here on how to add DKIM records to various DNS providers, if needed. 
  4. Once added in your DNS provider’s settings, you can use the Verify DKIM endpoint to check that the DKIMUpdateStatus field shows as Verified
  5. When it returns as Verified, new messages sent through Postmark using that domain will be signed with your newly generated DKIM key and the previous key will be revoked.


    ⏲️  Optional: You can wait a few days before deleting the original TXT record in your domain’s DNS settings. This allows any messages that were sent using the previous DKIM key to arrive in recipient inboxes.

Why should I generate a new DKIM key?#

Just as you should update your login password and Postmark API Tokens periodically to ensure they are not used by a malicious actor, the same holds true for your sending domain’s DKIM key.
Like all passwords and credentials, DKIM keys can be stolen or deciphered by dastardly bad actors. Definitely not cool. If that happens, those bad actors can use your DKIM key to sign their own spammy, phishy messages. This will negatively impact your sending domain’s reputation.
By generating a new DKIM key every few months, you are protecting your domain’s security and reducing the chance that a bad actor has time to use the old one.
Should your business have any sort of security breach, across any platform, we’d recommend you generate a new DKIM key just to be safe.
If you run into any other questions, do not hesitate to reach out to our support team.
Last updated February 29th, 2024

Still need some help?

Our customer success team has your back!

Contact Support