For extra security, DKIM keys should be rotated periodically to protect against the possibility of brute force attacks against a signature that is never changed.   To ensure no interruption of service, it should be possible to configure a new scope and key without activating it and without disabling the previous scope and key.    This allows time for the public key to be loaded into DNS and propagate.   After propagation is complete, the new scope can begin.

Currently, Smarter checks that the public key is in DNS before use, but it does not permit two keys to be enabled at the same time.   This means that the old key must be disabled before the new key can be configured.   During any delay between deletion of the old key and activation of a new key, outgoing messages will be sent without any signature.  Additionally, if the new key is activated before DNS propagation is complete, I think that some messages signed with the new key may fail to validate if the new key is not yet visible to the recipient system.

For organizations like mine that publish DMARC p=reject, sending a message that is not signed or signed with an unverifiable key is a problem.   This can be evaded by changing our DMARC record to p=none, and waiting for DNS propagation, before making the change.   But this is all too complicated and inconsistent the purpose of publishing DMARC p=reject.   It should be possible to replace the key without altering the verification status of our messages.