DKIM Key Management

Available on: Pro Elite

1. What This Feature Does

DKIM Key Management generates DKIM signing keys, formats DNS records, and manages key rotation for email authentication. You create a selector with a chosen cryptographic algorithm, receive a formatted DNS TXT record containing the public key, publish it in your DNS zone, verify the publication, and optionally configure automatic rotation to maintain security over time.

Each selector stores a keypair (private key for signing, public key for DNS publication), metadata (algorithm, creation timestamp, fingerprint), and verification status. The private key remains secure on CertaDNS servers and is never displayed. The public key is encoded in the DNS record format that receiving mail servers query to validate signatures.

Automatic rotation generates new selectors at scheduled intervals, creates an overlap period for safe transition, and archives old selectors once the new key is active and verified.

2. When You Should Use It

• You send email from your own domain and need to implement DKIM signatures to improve deliverability and pass SPF/DKIM/DMARC authentication.
• You want to rotate DKIM keys periodically to reduce the impact if a private key is compromised.
• You operate a mail server (Postfix, Exim, Exchange, or a third-party SMTP service) that requires DKIM keys for outbound signing.
• You need to meet compliance or security policies that mandate cryptographic key rotation on a regular schedule.
• You want centralized key management with audit trails and automated rotation instead of manual key generation and DNS updates.

3. When You Should Not Use It

• Receiving-only domains: If your domain does not send email, DKIM is not required. Focus on SPF Flattening and DMARC Policy Wizard instead.
• Third-party email services that manage DKIM: If your email provider (e.g., Google Workspace, Microsoft 365, SendGrid) handles DKIM signing and key management, you do not need to generate your own keys. Follow the provider's instructions for enabling DKIM.
• Non-DNS zones: DKIM records are TXT records published in DNS. You must have a Managed DNS Zone under your control to publish DKIM records.
• Testing or development domains that do not send production email: Generating and rotating keys for non-production domains adds unnecessary overhead.

4. Prerequisites

• A CertaDNS account with a Pro or Elite plan. Free and Plus plans do not have access to DKIM Key Management.
• At least one Managed DNS Zone imported and verified. DKIM selectors are scoped to a zone.
• Write access to the DNS zone where the DKIM record will be published. If the zone is managed externally, you must manually copy the DNS record to your DNS provider.
• A mail server or email service configured to sign outbound messages using the private key. CertaDNS generates the keys but does not sign email directly.

5. How It Works (Brief)

When you create a selector, CertaDNS generates a cryptographic keypair using the chosen algorithm (RSA-2048, RSA-4096, RSA-1024, or Ed25519). The private key is stored securely on the server. The public key is formatted as a DNS TXT record in the standard DKIM format:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

The record is named {selector}._domainkey.{domain}. For example, if the selector is s1738828800 and the domain is example.com, the DNS record name is s1738828800._domainkey.example.com.

You publish this TXT record in your DNS zone (either manually or via CertaDNS's DNS Record Management if the zone is hosted on CertaDNS). After publication, you verify the record by running a DNS lookup. CertaDNS checks that the record exists, matches the expected version and key type, and contains the correct public key. If verification succeeds, the selector status changes from pending to active.

If automatic rotation is enabled, a daily cron job (02:00 UTC) checks each configuration's next_rotation_at timestamp. When rotation is due, the system generates a new selector, marks the old selector as rotating, and sets the new selector to pending. After a 48-hour overlap period, the new selector is verified and promoted to the default. The old selector is archived.

6. How to Use It

Creating a selector

1. Navigate to Dashboard > Email Auth.
2. Click the DKIM tab.
3. If you are on a Free or Plus plan, you will see an upgrade prompt. DKIM management requires Pro or Elite.
4. In the Key Generation Form:
   • Select a zone from the dropdown. Only zones you have imported and verified are listed.
   • Enter a selector name. The default format is a timestamp-based name (e.g., s1738828800). You can also use a custom prefix or a YYYYMM format. Alphanumeric characters and hyphens are allowed. Maximum 63 characters.
   • Choose an algorithm from the dropdown. Options:
     • RSA-2048 (recommended, default): Widely supported, balances security and performance.
     • RSA-4096: Higher security, larger key size, slower verification.
     • RSA-1024 (legacy, not recommended): Deprecated, only for compatibility with very old systems.
     • Ed25519 (modern, 256-bit elliptic curve): Fastest verification, smallest key size, not yet universally supported.
5. Click Generate Selector.
6. The selector is created with status pending and appears in the Selector List below the form.

Publishing the DNS record

1. After the selector is created, locate it in the Selector List.
2. The DNS record is displayed in a code block. Example:

   Name: s1738828800._domainkey.example.com
   Type: TXT
   Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

3. If the record value exceeds 255 characters, a warning appears: "This record exceeds 255 characters and must be split into multiple strings for DNS publication." CertaDNS displays the split format with each 255-character chunk on a separate line.
4. Click the Copy button to copy the record to your clipboard.
5. If the zone is hosted on CertaDNS, navigate to DNS Record Management and add a TXT record with the name and value shown. If the zone is hosted externally, add the record in your DNS provider's control panel.
6. Wait for the DNS change to propagate. This typically takes 1-5 minutes but can be longer depending on TTL and DNS provider.

Verifying DNS publication

1. In the Selector List, find the selector you just published.
2. Click the Verify DNS button. A spinner appears while the verification runs.
3. CertaDNS performs an asynchronous DNS lookup for {selector}._domainkey.{domain}.
4. If the verification succeeds:
   • The status badge changes to Active (green).
   • The activated_at timestamp is set.
   • The selector can now be used for signing.
5. If the verification fails, an error message appears below the selector. Common errors:
   • "DNS record not found" (NXDOMAIN)
   • "No TXT record at this name"
   • "DNS query timed out"
   • "Public key does not match expected value"
   • "Invalid DKIM record format"
6. Fix the DNS record and retry verification.

Configuring automatic rotation

1. After creating and verifying at least one selector, click Configure Rotation (or navigate to the configuration section in the UI).
2. In the configuration form:
   • Default Selector: Choose the selector that is currently used for signing. This is the selector your mail server references in the DKIM-Signature header.
   • Signing Domain: The domain shown in the d= tag of the DKIM signature. Usually matches the zone name.
   • Canonicalization: Choose header/body canonicalization (relaxed/relaxed, relaxed/simple, simple/relaxed, or simple/simple). Default: relaxed/relaxed.
   • Auto-rotate: Enable or disable automatic rotation.
   • Rotation Interval: Days between rotations. Range: 30-365. Default: 90.
   • ADKIM: DMARC alignment mode for DKIM (strict or relaxed). Default: relaxed.
3. Click Save Configuration.
4. If auto-rotate is enabled, the next_rotation_at timestamp is calculated (current date + rotation interval days). A warning email is sent 7 days before the scheduled rotation.

Manually rotating a selector

1. In the Selector List, locate the active selector you want to replace.
2. Click Rotate (or create a new selector manually and set it as the default in the configuration).
3. If using the Rotate button:
   • A new selector is generated with the same algorithm as the current one.
   • The old selector's status changes to rotating.
   • The new selector has status pending.
   • A rotation history record is created with reason manual.
4. Publish the new selector's DNS record.
5. Verify the new selector.
6. Update your mail server configuration to use the new selector.
7. After the overlap period (48 hours), the old selector is automatically archived.

Archiving a selector

1. In the Selector List, click the Archive button (trash icon) for the selector you want to remove.
2. Confirm the action in the dialog.
3. The selector's status changes to archived. It no longer appears in the active selector list (unless you enable "Show archived" in the filter).
4. Archived selectors are soft-deleted. The private key is retained for audit purposes but is no longer used for signing.
5. You can delete the corresponding DNS record from your zone.

7. Inputs and Settings

Selector creation

Field	Description	Constraints
Zone	The DNS zone where the DKIM record will be published.	Must be a verified zone owned by the user. Read-only dropdown.
Selector Name	The selector identifier used in the DKIM-Signature header and DNS record name.	Alphanumeric and hyphen. Maximum 63 characters. Must be unique per zone (excluding archived selectors). Default format: s{timestamp} or s{YYYYMM} or custom prefix.
Algorithm	The cryptographic algorithm for key generation.	RSA-2048 (default), RSA-4096, RSA-1024 (legacy), or Ed25519. Cannot be changed after creation.
Auto-publish	If enabled, the system attempts to publish the DNS record automatically (only if the zone is hosted on CertaDNS).	Optional. Default: false.

Configuration settings

Field	Description	Constraints
Default Selector	The selector currently used for signing outbound email.	Must reference an active selector in the same zone.
Signing Domain	The domain shown in the d= tag of the DKIM-Signature header.	Usually matches the zone name. Can be a subdomain if required.
Canonicalization	Header and body canonicalization algorithms.	Options: relaxed/relaxed, relaxed/simple, simple/relaxed, simple/simple. Default: relaxed/relaxed.
Auto-rotate	Enable or disable automatic key rotation.	Boolean. Default: false.
Rotation Interval	Number of days between scheduled rotations.	Range: 30-365. Default: 90. Only applicable if auto-rotate is enabled.
ADKIM	DMARC alignment mode for DKIM.	Options: strict, relaxed. Default: relaxed.

8. Outputs and Results

Selector list columns

Column	Description
Zone	The DNS zone the selector belongs to.
Selector Name	The selector identifier in monospace font.
Algorithm	RSA-2048, RSA-4096, RSA-1024, or Ed25519.
Status	Badge: Active (green), Pending DNS (yellow), Rotating (blue), Archived (gray).
DNS Record	Formatted DNS TXT record with copy button. Long records display a split warning.
Actions	Verify DNS (with spinner during verification), Archive (trash icon).

DNS record format

The DNS record output follows this structure:

Name: {selector}._domainkey.{domain}
Type: TXT
Value: v=DKIM1; k={rsa|ed25519}; p={base64_public_key}; [t=flags]; [s=service]; [n=notes]
TTL: 3600

For RSA keys, the k= tag is rsa. For Ed25519 keys, the k= tag is ed25519. The p= tag contains the base64-encoded public key in DER format.

If the record value exceeds 255 characters (common for RSA-2048 and RSA-4096), the value is split into multiple quoted strings. Example:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
"..."
"..."

Verification result

After clicking Verify DNS, one of the following results is displayed:

Result	Description
Success	Status changes to Active (green). The selector is ready for use.
DNS record not found	NXDOMAIN error. The DNS record does not exist at the expected name.
No TXT record	The DNS name exists but has no TXT record.
DNS query timed out	The DNS server did not respond within the timeout period.
Public key mismatch	The public key in the DNS record does not match the expected value.
Invalid format	The DNS record does not follow the DKIM TXT record format (missing v=DKIM1, k=, or p= tags).

If the DNS record contains the t=y flag (testing mode), a warning is displayed: "This DKIM record is in testing mode. Remove the t=y flag for production use."

API response

The selector creation endpoint returns:

{
  "id": 123,
  "zone_id": 456,
  "selector": "s1738828800",
  "algorithm": "rsa-2048",
  "status": "pending",
  "fingerprint": "SHA256:abc123...",
  "dns_record": {
    "name": "s1738828800._domainkey.example.com",
    "type": "TXT",
    "value": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG...",
    "ttl": 3600
  },
  "created_at": "2025-02-06T12:00:00Z",
  "activated_at": null,
  "verification_error": null
}

9. How to Interpret Results

Normal

• Selector shows "Active" status (green badge). DNS verification succeeded. The public key is published and matches the expected value.
• After rotation, the new selector transitions from "Pending DNS" to "Active" once verified. The old selector moves to "Rotating" and then "Archived" after the overlap period.
• Mail servers can successfully retrieve and validate the DKIM signature using the public key in DNS.

Unexpected or worth investigating

• "Pending DNS" status persists after publishing the record: DNS propagation may still be in progress. Wait 5-10 minutes and retry verification. If the error persists, check the DNS record manually using dig {selector}._domainkey.{domain} TXT or an online DNS lookup tool.
• "Public key does not match expected value" error: The DNS record was published but contains a different public key. Verify you copied the exact record value from the CertaDNS dashboard. If the record was manually edited, regenerate the selector and re-publish.
• "Rotating" status for an extended period: The new selector has not been verified or activated. Check the new selector's DNS record and verify it. The old selector will not be archived until the new one is active.
• No selectors are active: If all selectors are archived or pending, DKIM signing will fail. Verify at least one selector and ensure it is set as the default in the configuration.

Common interpretation mistakes

• Expecting instant DNS propagation: After publishing a DNS record, external resolvers may cache the previous answer (NXDOMAIN) for up to the negative TTL (typically 300-900 seconds). Verification may fail immediately after publication but succeed after a few minutes.
• Confusing selector status with DKIM signing status: An "Active" selector means the DNS record is published and verified. It does not confirm that your mail server is successfully signing messages. Check DKIM-Signature headers in outbound email and review DMARC Reporting for validation results.
• Assuming archived selectors are deleted: Archived selectors are soft-deleted. The private key remains in the database for audit purposes. To permanently delete a selector, contact support.

10. Common Issues and Explanations

"DKIM management requires Pro plan or higher" error

DKIM Key Management is only available on Pro and Elite plans. Free and Plus users cannot create selectors or configurations. Upgrade to Pro or Elite to access this feature.

"Selector '{name}' already exists for this zone" error

Each selector name must be unique per zone (excluding archived selectors). If you previously created a selector with this name and it is still active, pending, or rotating, you must choose a different name or archive the existing selector first.

"DKIM configuration already exists for this zone" error

Only one configuration is allowed per zone per user. To change settings, update the existing configuration instead of creating a new one.

Verification fails with "DNS record not found"

The DNS record has not been published or the record name is incorrect. Verify the record name exactly matches {selector}._domainkey.{domain}. If the zone is hosted on an external DNS provider, ensure the record was added correctly. Use dig {selector}._domainkey.{domain} TXT to confirm the record exists.

Verification fails with "Public key does not match expected value"

The DNS record exists but contains a different public key than the one generated by CertaDNS. This occurs if:

• The record was manually edited and the p= tag was changed.
• The record was copied from a different selector.
• The record was split incorrectly (each 255-character chunk must be in quotes and concatenated without spaces).

Re-copy the exact record value from the CertaDNS dashboard and re-publish.

Rotation did not occur on the scheduled date

Automatic rotation runs daily at 02:00 UTC. If next_rotation_at is in the past but rotation has not occurred, check:

• Auto-rotate is enabled in the configuration.
• The default selector is active (rotation cannot proceed if the current selector is pending or archived).
• System logs for errors (contact support if rotation is stuck).

Mail server does not sign messages after activating a selector

Activating a selector in CertaDNS only verifies the DNS record. Your mail server must be configured separately to sign outbound messages using the private key. CertaDNS does not provide the private key for export. If you need to sign messages, you must either:

• Use a mail server plugin or service that integrates with CertaDNS's API to retrieve signing instructions.
• Generate keys externally and use CertaDNS only for DNS record management.

Consult your mail server's DKIM documentation (e.g., OpenDKIM for Postfix, DKIM for Exchange).

"Zone not found or access denied" error

The zone you selected does not exist, was deleted, or you do not have permission to manage it. Verify the zone is listed in Managed DNS Zones and is marked as verified.

11. Limits and Constraints

Constraint	Free	Plus	Pro	Elite
DKIM Key Management	No	No	Yes	Yes
Selectors per zone	-	-	Unlimited	Unlimited
Configurations per zone	-	-	1	1
Automatic rotation	-	-	Yes	Yes

• Selector names: alphanumeric and hyphen only. Maximum 63 characters.
• Rotation interval: 30-365 days. Default: 90 days.
• Overlap period during rotation: 48 hours (fixed, not configurable).
• One configuration per zone per user. Multiple zones can each have their own configuration.
• Archived selectors are retained indefinitely for audit purposes. They do not count toward active selector limits.
• DNS record TTL: 3600 seconds (fixed). Cannot be customized per selector.

12. Related Features

• SPF Flattening — Another email authentication mechanism that validates sender IP addresses. DKIM and SPF work together to pass DMARC alignment.
• DMARC Reporting — Monitors DKIM pass/fail results from receiving mail servers. Use this to verify that DKIM signatures are being validated correctly.
• DMARC Policy Wizard — Guided policy enforcement using DKIM and SPF alignment data. DKIM is one of the two alignment checks DMARC performs.
• Managed DNS Zones — Required for DKIM setup. DKIM records are published as TXT records in your DNS zone.
• DNS Record Management — DKIM records are TXT records. You can manually create or edit DKIM records using this feature if you prefer not to use the DKIM Key Management interface.

13. Updates and Behavior Changes

• DKIM Key Management was introduced in version 2.4.0 as a Pro and Elite feature.
• Ed25519 algorithm support was added in version 2.5.0. Existing selectors remain on their original algorithm until manually rotated.
• Automatic rotation interval range was expanded from 60-180 days to 30-365 days in version 2.6.0 to support high-volume senders and compliance requirements.
• Volume-based recommendations (low/medium/high) were added in version 2.7.0 to guide users on appropriate rotation intervals based on email sending volume.
• Rotation warning emails (7 days before scheduled rotation) were added in version 2.8.0 to give users advance notice of upcoming key changes.