Fix DKIM key rollover

Problem reported by Douglas Foster - Today at 10:13 AM

Submitted

I have not rolled over my keys in a long time, because the required process scares me. Maybe the problem is lack of documentation, since the help topic for "Email Signing" is short on details. (A help content search for "DKIM" produces a list of possibilities, none of which links directly to "Email Signing".)

The apparent process, if I understand it:

Disable DKIM signing
Enable it to generate a new DKIM key pair.
Put the new key into DNS.
Wait for it to propagate far enough for SmarterMail to see the change.in DNS
Activate the new key

While this key is being rolled over, outbound messages are not signed. This is a problem.

If the new key is activated as soon as SmarterMail allows, some corners of the Internet may not be able to validate new messages because the key propagation has not reached their DNS provider. This is also a problem.

We should be able to configure a second key without disabling the first one, then activate the new key hours or days later, after propagation delay has been taken into account.

2 Replies

Reply to Thread

J. LaDow Replied

Today at 10:46 AM

New versions of SM allow for multiple keys.

This would allow you to add the second key, add it to DNS, validate, all while the first key is still active. Then you can remove the old key after a few days - the keys are used during delivery only - so once the destination gets all the mail, the old keys are done.

MailEnable survivor / convert --

Douglas Foster Replied

Today at 11:32 AM

Thank you.

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text