DKIM selector rotation — zero‑downtime SOP
Rotate keys without breaking signatures. This SOP covers planning, publishing, switching, verifying, and retiring selectors safely.
Verify after each step
Checklist
- Publish new selector DNS (
selector._domainkey.example.com) withk=/p=/t=/n=fields - Enable co‑signing: sign with both old and new selectors
- Audit for
dkim=passon the new selector and alignment; monitor for 24–48h - Switch traffic to new selector; keep old as fallback briefly
- Retire old selector and remove DNS after a safe window
Zero‑downtime tips
- Pre‑publish TXT 15–30 minutes before enabling signing
- Use distinct selectors per route for scoped rollback
- Set key length to 2048‑bit and rotate at least yearly
Keep a rotation calendar (at least yearly) and embed checks in CI.