The M3AAWG DKIM Key Rotation Best Common Practices document originally recommended quarterly rotation; the 2019 update revised to every six months citing operational burden. The MxToolbox 2026 DKIM recommended-practices guide and SPFmonitor 2026 selector guide both document quarterly as the stronger posture for operations where the burden barrier is removed through subscription operations. The Valimail October 2025 continuous-protection report documented DKIM replay attacks as the primary residual risk after key rotation, where attackers re-send captured signed messages to unintended recipients with the original signature still validating. Quarterly rotation limits replay exposure to 90 days versus 180 days for semi-annual.
DKIM Rotation Managed Premium operates audit-grade DKIM rotation aligned with M3AAWG Best Common Practices. Quarterly rotation of 2048-bit RSA DKIM keys across all sending domains. Dual-selector cutover with 14-day overlap window so deferred messages signed under the old key still validate. Per-service selector isolation following the M3AAWG pattern: separate selectors for marketing, transactional, helpdesk, corporate mail rather than one shared key across all services. Replay-attack monitoring detecting unexpected signed-message arrival patterns. Emergency out-of-cycle rotation included if key compromise is suspected. Selector naming convention following service+date+keylen pattern for trivial readability. Audit-grade evidence packaging suitable for SOC 2 Type II or ISO 27001 surveillance. Monthly DKIM authentication report. EUR 99 per month covering up to 10 sending domains with up to 5 services per domain.
Operations sending from multiple services typically use one shared DKIM key. The pattern has predictable operational problems that per-service isolation fixes structurally.
Shared key: Compromising one service exposes all services. If a malicious actor obtains the DKIM private key from the marketing platform integration, they can sign messages appearing from any service including corporate email.
Per-service isolation: Each service has its own key pair. Compromise of marketing key affects only marketing-signed mail; corporate, transactional, and helpdesk remain unaffected.
Shared key: Rotation forces simultaneous reconfiguration across every service. Operational risk discourages frequent rotation; rotation gets delayed or skipped.
Per-service isolation: Each service rotates on independent schedule. Marketing rotation Tuesday, transactional Wednesday, corporate Thursday. Spreads load and decouples failure surfaces.
Shared key: DMARC reports showing signature failures cannot identify which service has the problem because all services use the same selector.
Per-service isolation: DMARC reports identify the failing service by selector name. marketing._domainkey failures point at marketing platform; transactional._domainkey failures point at transactional MTA.
DKIM configuration is straightforward at deployment. Generate a key pair, publish the public key in DNS, configure the MTA to sign outbound messages with the private key, test signature validation, declare DKIM deployed. The configuration works correctly at the moment of deployment and continues working indefinitely without intervention. The operational gap appears later when audit, security, or compliance requirements expose the absence of ongoing key management hygiene.
The first gap is rotation. M3AAWG Best Common Practices document recommends regular rotation (originally quarterly, updated to semi-annual in 2019) but most operations never rotate. The original DKIM key from 2019 still signs messages in 2026 because nobody scheduled the rotation, nobody owns the rotation procedure, and the rotation tooling does not exist. Auditors reviewing SOC 2 CC6.7 or ISO 27001 A.8.24 controls find that the organisation has DKIM configured but cannot demonstrate key rotation as part of cryptographic hygiene. The audit finding either downgrades the related controls or requires remediation before report issuance.
The second gap is selector strategy. Operations typically deploy one DKIM selector covering all outbound mail. The shared selector creates the compromise blast radius problem (one stolen key enables impersonation across every service), the rotation coordination problem (rotation requires synchronised reconfiguration), and the diagnostic difficulty problem (DMARC failures cannot identify the source service). The M3AAWG and SPFmonitor 2026 guides both document per-service selector isolation as the operational pattern that addresses all three. Adoption requires upfront design and ongoing management which the Premium tier provides.
The third gap is the dual-selector cutover. Rotation cannot be atomic because deferred messages remain in transit. A message sent at 14:00 signed with the old private key may not arrive at the recipient until 14:23 or queue for hours of retry windows. If the rotation happens at 14:15 and the old public key gets deleted from DNS immediately, the deferred message fails validation when it arrives. Operations that attempt manual rotation without dual-selector practice frequently break deferred mail validation for the rotation window. The Premium tier runs the dual-selector cutover standard with 14-day overlap window covering all plausible deferred mail scenarios.
The fourth gap is replay-attack monitoring. The Valimail October 2025 continuous-protection report and SPFmonitor 2026 guide document DKIM replay attacks as the primary residual risk after key rotation. An attacker who captures a legitimate signed message from your domain can re-send the message to other recipients later; the DKIM signature still passes because the attacker has not modified anything. The result: messages from your domain getting delivered to recipients you never intended, with the original DKIM signature still validating. Operations without replay monitoring discover replay activity only when recipients complain or when domain reputation degrades. Operations with replay monitoring detect the pattern in TLS-RPT and external monitoring data and can trigger emergency rotation before reputation damage accumulates.
The fifth gap is emergency rotation capacity. Key compromise scenarios (team member leaves with key access, system breach affecting key storage, replay attack detected, external disclosure affecting cryptographic primitives) require immediate rotation rather than waiting for the scheduled cycle. Operations without rotation tooling and procedure are not positioned to execute emergency rotation when needed. The Premium tier includes emergency rotation with compressed timeline (1-4 hour cutover, 7-day overlap window) at no per-event surcharge, providing the operational capacity for incident response rather than requiring it be developed under pressure.
2048-bit RSA key generation, new selector publication in DNS, MTA reconfiguration to sign with new key, 14-day overlap window, old selector removal. Standard cadence aligned with calendar quarters.
Separate selectors for marketing, transactional, helpdesk, corporate mail. Selector naming convention service+date+keylen for trivial readability. Up to 5 services per domain.
Both old and new keys active in DNS during 14-day overlap window. Deferred messages signed under old key continue validating. MTA signs new messages with new key from cutover moment.
Continuous monitoring for unexpected signed-message arrival patterns. TLS-RPT analysis. External feed monitoring. Anomaly alerts to on-call rotation.
1-4 hour emergency cutover when key compromise is suspected. Compressed 7-day overlap. Included at no per-event surcharge. Documented incident timeline and resolution.
DKIM signature pass rate per ISP (Gmail, Microsoft 365, Yahoo, ProtonMail). Recent rotation events documented. Anomalies and resolutions. Trend analysis.
Rotation event log with operator attribution and timestamps. SOC 2 CC6.7 and ISO 27001 A.8.24 control mapping. Suitable for SOC 2 Type II observation window or ISO surveillance audit.
Current selector inventory by domain and service. Rotation calendar. Naming convention documentation. Operational runbook covering routine rotation and emergency rotation procedures.
Sustained cryptographic key rotation evidence across the 6-12 month observation window. CC6.7 (cryptography) control demonstrated through quarterly rotation cadence with audit-grade evidence.
Annual surveillance audits expecting ongoing cryptographic hygiene. A.8.24 (use of cryptography) control satisfied through documented rotation procedure and evidence.
Operations sending from corporate email, marketing platform, transactional MTA, helpdesk, CRM with shared domain. Per-service isolation prevents cross-service compromise and simplifies diagnostics.
Operations recovering from key compromise event or DKIM-related security incident. Premium tier locks in the operational discipline that the incident demonstrated as needed.
German federal email security standard expecting documented cryptographic key management. Premium tier provides the evidence baseline that meets BSI scrutiny.
Operations running 5-10 sending domains where coordinating rotation across all domains becomes operational burden. Premium tier handles rotation across up to 10 domains as standard.
Monthly subscription operating audit-grade DKIM key rotation aligned with M3AAWG Best Common Practices. Quarterly rotation of 2048-bit RSA DKIM keys across all sending domains, with dual-selector cutover and 14-day overlap window. Per-service selector isolation (separate selectors for marketing, transactional, helpdesk, corporate mail). Replay-attack monitoring. Emergency out-of-cycle rotation included. Selector naming convention service+date+keylen. Audit-grade evidence packaging suitable for SOC 2 Type II or ISO 27001 surveillance. Monthly DKIM authentication report. EUR 99 per month standard tier covering up to 10 sending domains with up to 5 services per domain.
The basic service (EUR 29/month) handles single-domain rotation on a 90-day cadence with one shared selector. It satisfies the minimum M3AAWG recommendation for operations with simple sending profiles. The Premium tier handles multi-domain multi-service operations needing per-service selector isolation, audit-grade evidence packaging, replay-attack monitoring, and emergency rotation capacity. The Premium tier matches operations preparing for SOC 2 Type II or ISO 27001 audits. Operations with one sending stream stay on basic tier; operations with multiple sending streams benefit from Premium.
The M3AAWG DKIM Key Rotation Best Common Practices document originally recommended quarterly rotation; the 2019 update revised the recommendation to every six months citing operational burden. The Premium tier uses quarterly because operations doing this work as part of a subscription do not face the operational burden as a barrier. Quarterly produces twice the rotation events per year, twice the institutional practice, twice the opportunity to catch any operational issues. The shorter rotation window also limits damage if a private key is compromised. For SOC 2 Type II preparation, quarterly evidence cycles produce more credible audit posture than semi-annual.
DKIM key rotation cannot be atomic because deferred messages remain in transit for hours or days after being signed. The dual-selector cutover prevents validation failures during the transition: generate new key pair with new selector, publish new public key in DNS, wait 24-48 hours for DNS propagation, switch MTA to sign with new private key, keep old public key in DNS for 14-day overlap window covering any deferred messages, only then remove old public key. The pattern matches M3AAWG section 4.2 (Key Rotation Workflow) and the SPFmonitor 2026 selector guide.
Each service gets its own selector and key pair (google._domainkey, marketing._domainkey, transactional._domainkey, etc). Compromise of one key affects only that service. Rotation can run on independent schedules per service avoiding simultaneous coordination. DMARC reports identify the failing service by selector. The Premium tier deploys this pattern across up to 5 services per domain. The naming convention uses service+date+keylen (marketing-2026q3-2048._domainkey.example.com) for trivial readability.
DKIM replay attacks abuse the fact that a properly-signed DKIM message remains valid wherever it appears. An attacker who captures a legitimate signed message from your domain can re-send the message to other recipients later, and the signature still passes because the attacker has not modified anything. The Valimail October 2025 report and SPFmonitor 2026 guide both document replay attacks as the primary residual risk after key rotation. The Premium tier monitors for replay patterns through TLS-RPT analysis and external feed monitoring; replay detection triggers investigation and may trigger emergency rotation if pattern indicates active abuse.
Five triggers documented in the engagement runbook. Suspected key compromise. Team member with key access leaves the organisation. Replay-attack pattern detected via monitoring. External security disclosure affecting cryptographic primitives. Customer request for any operational reason. Emergency rotation runs compressed dual-selector cutover: new key, new selector immediately, MTA switch within 1-4 hours, retain old selector for 7-day overlap (compressed from 14-day standard), remove old selector. Emergency rotation is included in the Premium tier with no per-event surcharge.
Three categories of audit evidence collected monthly. Rotation event log documenting every key generation, every selector publication, every MTA reconfiguration with timestamp, operator attribution, key size, selector name. DKIM authentication signature pass rate per ISP demonstrating rotation events did not produce regressions. Monthly evidence package suitable for SOC 2 CC6.7, ISO 27001 A.8.24, and ISO 27001 A.8.13 controls. The package includes rotation calendar, completed rotations, planned future rotations, anomalies and resolutions, replay monitoring status. Operations preparing for audit get the monthly packages collated into observation window summaries on request.
The standard DKIM rotation managed service handles the mechanical operation of rotating keys on a scheduled cadence. The premium tier adds operational sophistication that production senders with complex configurations benefit from: per-subdomain rotation coordination, multi-tenant key management for ESP operations, integration with HSM-based key storage for organizations with cryptographic hardware requirements, audit-grade documentation of rotation events for compliance frameworks that require evidence of key management practices.
The mechanical rotation pattern is similar across both tiers: generate new keypair, publish new selector to DNS, configure MTA to sign with new selector, retain old selector for transition period, remove old selector after transition completes. The premium tier handles the rotation across operationally complex scenarios that the standard tier does not optimize for.
For operators with single-domain sending operations and standard PowerMTA or Postfix configurations, the standard tier produces equivalent operational outcomes to premium. The premium tier delivers value specifically when configuration complexity requires coordination that the standard tier handles manually rather than automatically.
The pricing differential reflects the operational sophistication: standard tier at EUR 19 monthly handles single-domain rotation quarterly; premium tier at EUR 99 monthly handles multi-domain, multi-tenant scenarios with integrated audit documentation.
Hardware Security Module (HSM) integration is the premium-tier feature most often requested by customers with strong cryptographic compliance requirements. HSM storage for DKIM private keys produces several specific properties that conventional file-system storage does not: the keys never exist in plaintext outside the HSM, signing operations occur inside the HSM with only the signing inputs and outputs crossing the boundary, key extraction is cryptographically prevented even by privileged access to the HSM host.
Our HSM integration supports the major commercial HSM vendors (Thales, Utimaco, AWS CloudHSM, Azure Dedicated HSM) plus open-source alternatives (SoftHSM for testing environments). The integration is operationally transparent to the MTA: the MTA submits messages for signing to the HSM-backed signing service, the service performs signing operations inside the HSM, the MTA receives the signed message back. The operational latency is modest (typically under 5ms per signing operation) and supports production sending throughput.
The HSM integration produces audit evidence that conventional file-system key storage cannot: cryptographically-attested signing operations with HSM-side audit logs, key generation events with cryptographic attestation, key destruction events with verification, access control evidence for HSM operations. The evidence package satisfies FIPS 140-2 Level 2 and similar compliance requirements that some regulated industries impose.
For operators without specific HSM compliance requirements, the conventional file-system key storage in the standard tier produces equivalent operational outcomes with simpler operational characteristics. HSM integration adds value specifically when the compliance framework requires it or when the threat model justifies the additional protection.
ESP operations running multi-tenant infrastructure face DKIM rotation challenges that single-tenant operations do not. Each customer typically has their own sending domain with their own DKIM keypair; coordinating rotation across many customers produces operational complexity that the premium tier optimizes for.
Our multi-tenant rotation handles per-customer scheduling (customers on different rotation cadences based on their requirements), staggered rotation timing across the customer base to avoid concentrated rotation events that look anomalous to receivers, per-customer key escrow with isolated access controls preventing cross-customer key exposure, audit documentation per customer with appropriate confidentiality boundaries.
The operational pattern that works at scale: rotation events scheduled per customer based on their tier and policy, automated execution with verification, customer notification at each rotation step (new selector published, transition period started, old selector removed), exception handling when rotation fails or produces issues. The pattern produces rotation completion rates above 99% with the failures concentrated in customer-side configuration issues that operator-side automation cannot prevent.
For ESPs evaluating the premium tier, the cost amortizes across the customer base: EUR 99 monthly covers up to 50 customer domains, EUR 299 monthly covers up to 200 customer domains, larger ESP operations receive volume-based custom pricing. The per-customer cost is substantially lower than running multi-tenant rotation in-house once the customer count exceeds approximately 30-50 domains.
Premium tier onboarding typically completes in 2-3 weeks. The phases: assessment of current DKIM configuration including selector inventory, key generation infrastructure setup, rotation schedule alignment with customer operational requirements, audit documentation framework setup, initial rotation execution with verification.
Ongoing operations follow the configured rotation schedule with minimal customer involvement. The standard cadence is quarterly rotation for high-volume sending; the premium tier supports configurable cadence per domain based on customer requirements. Customer notifications fire at each rotation step including selector publication, transition period start, old selector removal completion.
Exception handling for rotation issues happens through standard support channels. The premium tier includes dedicated incident response for rotation problems affecting customer sending operations; incidents are typically resolved within hours of identification through coordination between our team and the customer infrastructure team.
For organizations with compliance frameworks that include cryptographic key management requirements, the premium tier produces audit evidence that the standard tier does not. The evidence package includes rotation event records with cryptographic timestamps, key generation records with HSM attestation where applicable, key destruction verification, access control evidence for key management operations.
The evidence package maps to common compliance framework requirements. For SOC 2: the cryptographic key management controls fall under CC6.1 (logical access controls) and CC6.7 (data transmission); our evidence package addresses both controls with mapped documentation. For ISO 27001: the relevant Annex A controls include A.8.24 (cryptography) and A.5.16 (information transfer); our evidence covers both. For PCI DSS: Requirement 3.6 (key management) and 4.2 (cryptography in transit); our evidence addresses both with the specific control mappings auditors expect.
For organizations without specific compliance framework requirements, the premium tier still produces operational documentation that the standard tier does not. The documentation matters for incident response (knowing exactly when keys were rotated and by what process), for troubleshooting (correlating rotation events with deliverability changes), for vendor management (demonstrating the operational discipline of the key rotation process).
Although the premium tier handles rotation operations as a managed service, certain customer responsibilities cannot be delegated and require coordination during each rotation event. The responsibilities below outline what customers retain.
Customer-side DNS publishing: while we handle generating new keypairs and configuring MTAs, the new DKIM DNS records must be published in the customer-controlled DNS zones. We provide the DNS record content; the customer or their DNS provider publishes it. The publishing step typically completes within hours of our notification.
Verification testing: customers should verify that mail signed with new selectors is delivering correctly during the transition period. The verification is straightforward (send test messages, examine headers to confirm new selector is signing, run through the validator on this site) but requires customer-side execution because we cannot test from inside the customer mail flow.
Communication with downstream consumers: customers operating ESP-style services may need to communicate selector changes to their own customers when the rotation affects downstream sending configuration. The communication is customer-side because we operate as infrastructure rather than as customer-facing service.
Subscription starts the first business day of the month after confirmation. Initial inventory and selector design completes in 5 business days. First quarterly rotation runs within 30 days of subscription start. EUR 99 per month standard tier covering up to 10 sending domains with up to 5 services per domain. Monthly billing with no minimum commitment; annual billing offers 10% discount.
# Median Telegram response: 12 minutes during operating hours