DKIM rotation, the gentle way

DKIM key rotation is a chore that gets postponed because the cost of getting it wrong is real: a weekend of stuck mail and an emergency Slack thread. With two selectors and a 24-hour overlap window, it becomes routine.

The two-selector pattern

Publish two CNAME records, volt._domainkey and volt2._domainkey, both pointing at our authoritative DKIM endpoints. Only one is active at a time; the other is the warm spare.

dnsvolt._domainkey  CNAME  volt.domainkey.voltmail.dev
volt2._domainkey CNAME  volt2.domainkey.voltmail.dev

The rotation, step by step

T+0 — Generate the new key, do not promote

We generate a new RSA-2048 key on selector volt2 and publish it to DNS. Mail is still signed by selector volt. Receivers fetch and cache the new public key — but no signed mail uses it yet.

T+24h — Promote selector volt2

After a 24-hour propagation window we flip the active selector. New mail signs with volt2; receivers already have the public key cached. Old in-flight mail signed with volt continues to verify because volt is still in DNS.

T+48h — Retire selector volt

After another 24h, no in-flight mail is signed with volt. Decommission the key on our side; the DNS record stays as a no-op for forwarders that may have cached old signatures. Next quarter, we rotate volt2 back to volt and the cycle repeats.

Why this beats single-selector

• No "delete + create" race window where mail can fail verification.
• Forwarders that re-deliver mail hours after the original send still verify.
• The promotion is a 200-byte DNS update, not a key generation that costs CPU on a mail server.

Auto-rotation is on by default for every Pro+ and Pro Max domain. You can also rotate on demand from the dashboard if a key is suspected of compromise — same flow, same overlap window.