DKIM key rotation for cold email: when, why, and how often
Rotation is operational hygiene, not a security stunt. Here is the cadence that holds up under enterprise audits and Gmail postmaster scrutiny.
Rejwan Nirob·Apr 5, 2026·5 min readThe DKIM key you generated when you set up the domain is fine - for now. The question is when to rotate, and how to rotate without dropping a single signed message during the swap.
Why rotate at all
Three reasons. One: a leaked private key signs a forged message that passes DKIM under your domain - instant reputation hit. Two: enterprise compliance frameworks (SOC2 CC7.2, ISO 27001 A.10.1) explicitly require periodic key rotation. Three: rotation forces you to confirm the deployment pipeline still works, which catches DNS drift before it bites.
Cadence
- Every 6 months for active production domains
- Immediately on any suspected exposure, employee offboarding, or vendor change
- Annually at minimum, even on dormant domains
- Never during the first 14 days of a new domain - that is warmup, not change-management
How to rotate without dropping mail
Use a second selector. Publish the new public key under a fresh selector (for example google2._domainkey alongside google._domainkey). Switch the signing service to the new selector. Wait 48 hours for in-flight messages to settle. Remove the old selector record. Zero downtime, zero failed signatures.
Every Inboxlee-provisioned domain rotates DKIM on a 6-month schedule using the dual-selector approach. You get a notification before the rotation. No action required.
Provision a domainFrequently asked
How often should I rotate my DKIM key?
Every 6 months for active production domains is the operator-grade baseline. Immediately on suspected exposure, employee offboarding, or vendor change. Annually at minimum even on dormant domains. Never during the first 14 days of a new domain - that period is warmup, not change-management.
Why do I need to rotate DKIM at all?
Three reasons: a leaked private key signs a forged message that passes DKIM under your domain (instant reputation hit), enterprise compliance frameworks like SOC2 CC7.2 and ISO 27001 A.10.1 explicitly require periodic rotation, and rotation forces you to confirm the deployment pipeline still works (which catches DNS drift before it bites).
How do I rotate DKIM without dropping any signed messages?
Use the dual-selector method. Publish the new public key under a fresh selector (e.g. google2._domainkey alongside google._domainkey). Switch the signing service to the new selector. Wait 48 hours for in-flight messages to settle. Remove the old selector record. Zero downtime, zero failed signatures.
Does Inboxlee handle DKIM rotation automatically?
Yes. Every Inboxlee-provisioned domain rotates DKIM on a 6-month schedule using the dual-selector approach. You receive a notification before the rotation. No action required - the old selector stays live during the 48-hour overlap window so in-flight messages keep verifying.