DKIM key has been live for years, want to rotate without bouncing a single mail
DKIM rotation is safe with two selectors live in parallel: the old one keeps signing until the new one has propagated, then you switch. No mail pause, just patience for TTL spread.
Try this first
- 1In your mail platform (M365, Google, Mailgun, Postmark) generate a second selector (e.g. selector2 or 2024) and publish the matching TXT/CNAME next to the old one.
- 2Wait 1 to 4 hours until dig +short txt selector2._domainkey.yourdomain returns the record across multiple resolvers.
- 3Switch the active selector in the mail platform to the new one. From that moment the new key signs outgoing mail.
- 4Keep the old selector live in DNS for at least 7 days, because messages already sent can still be validated by late lookups.
- 5Remove the old selector after 14 days, check DMARC reports that alignment stayed at 100 percent.
When to bring us in
If you have many senders with their own DKIM (Mailgun, SendGrid plus M365 plus marketing tool) and do not know which one signs what, we can sort the rotation.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.