GreenArrow Documentation

Replacing DKIM Keys

This page describes how to replace DKIM keys in GreenArrow Engine.

The information that this page contains on DKIM is GreenArrow product specific. If you’d like to learn more about DKIM in general, the website provides a good overview of this technology, and the advantages of using it.

We recommend replacing any DKIM keys that are less than 1024-bits long. For information on how to check the length of existing keys, and background information on why 1024-bit keys are recommended, see the DKIM Key Length page.

You might also want to replace a DKIM key if you believe that the old key may have been compromised, or have a DKIM key rotation schedule in place. For example, you might replace your DKIM keys once a year.

The sequence to follow when replacing an existing DKIM key is:

  1. Create a new DKIM key, but do not make it the default key for the domain yet. The process of creating a DKIM key is described in the Creating a New DKIM Key page.
  2. Give the new DNS record(s) created in the previous step some time to propagate. 24 hours is usually plenty of time, but the timing depends on your DNS provider.
  3. Make the new DKIM key the default key for the domain. This process is described in the DKIM Signing for Other Domains and Selectors page.
  4. If you’re using any of the options for selecting a non-default key, check if any of them are specifying the key that is being replaced. If so, make any changes necessary to start selecting the new key.
  5. Wait seven or more days before proceeding to the next step. There are two reasons for this:
    1. This gives any messages that are still in the mail queue on your GreenArrow Engine server time to be delivered, bounce or expire. In most cases, these messages will no longer be in the queue after 1-4 days, depending on how your GreenArrow server is configured.
    2. If any DKIM validation is being performed sometime after GreenArrow has delivered a message, this allows time for that DKIM validation to take place. For example, an ISP might accept incoming email, then perform DKIM validation later.
  6. Revoke, then delete the old DKIM key. This process is described in the Revoking and Deleting a DKIM Key page.