3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

DKIM Page Guide

Complete walkthrough of the DKIM Management tab

4 min read DKIM Management

DKIM Management

The DKIM Management page shows all DKIM selectors detected for your domain and their current health status. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, proving they have not been tampered with in transit.

Management Status

A badge at the top indicates whether DKIM management is active or inactive for this domain. Active means DMARC Busta is monitoring your DKIM selectors and will alert you to issues.

DKIM Keys Table

Lists all DKIM selectors detected from your DMARC reports and DNS records:

Column Description
Selector The DKIM selector name (e.g., selector1, google, s1). Each email service uses its own selector.
Email Sender The service using this key (e.g., Microsoft 365, cPanel, MailChannels). Shown as "-" if unknown.
DKIM Value A preview of the TXT record published at selector._domainkey.yourdomain.com.
Source How the key was discovered: managed (created by DMARC Busta), scanned (found in DNS), or DMARC reports (seen in email data).
Status Active (in use), Pending (not yet published), Rotating (being replaced), External (tracked only), or Retired (no longer active).
Expires Only shown when key rotation is enabled. Displays days until the key expires and will be automatically rotated.

Key Management

You can perform the following actions on DKIM selectors:

  • Add DKIM Key — generate a new managed key pair and optionally publish to DNS
  • Import External Key — add a key managed by your email provider for monitoring
  • Refresh DNS — re-check DNS records for all selectors
  • Verify DNS — confirm a specific key's DNS record is published correctly
  • View — see full key details including the DNS record value
  • Delete — remove a key from the database and optionally from DNS

Key Rotation

DKIM key rotation periodically replaces your signing key with a new one. This is an opt-in feature — most domains run the same DKIM keys indefinitely without issues. You can enable it with the Automatic Key Rotation toggle.

When to use key rotation

  • After a security incident — if you suspect a private key has been compromised, rotate immediately
  • Compliance requirements — some enterprise or government policies require periodic key rotation
  • High-volume senders — organisations sending millions of emails may rotate keys to limit the exposure window if a key is compromised

When you don't need it

For most small-to-medium businesses and standard email setups, DKIM keys do not expire in any cryptographic sense. A 2048-bit RSA key is secure for years. If your email provider (cPanel, Microsoft 365, Google Workspace) manages your keys, they handle rotation on their own schedule. Enabling rotation is unnecessary in these cases and adds complexity.

How rotation works

When enabled, the rotation process follows a safe, automated lifecycle:

  1. New key generated — a fresh key is created with an alternating selector (db1 / db2)
  2. DNS propagation — the new key is published to DNS and checked until it propagates (up to 24 hours)
  3. Overlap period — both old and new keys are active in DNS simultaneously (default 48 hours), so no emails fail validation
  4. Completion — once the old key is confirmed unused in DMARC reports, it is retired and the new key takes over

If DNS propagation fails, the rotation is automatically rolled back and the old key is restored. The old key is never removed from DNS until the new key is confirmed working.

Rotation UI elements

  • Toggle — enables/disables automatic rotation for this domain
  • Expires column — shows days until each key's scheduled rotation (colour-coded: red < 7 days, orange < 30 days)
  • Rotate button — manually trigger rotation on an active key before its scheduled date
  • Progress banner — when a rotation is in progress, shows the current state and progress bar
  • Rotation History — expandable section showing all past rotations and their outcomes

DKIM Validation

DMARC Busta periodically checks that each selector's DNS record exists and contains a valid public key. If a record is missing, expired, or has syntax errors, the selector is flagged and you will be alerted. When Autopilot is active, critical DKIM issues automatically pause DMARC progression to prevent email from being rejected.

Monitoring

When Autopilot is enabled, DKIM selectors are continuously monitored for:

  • DNS record removal or corruption
  • Key expiration or rotation by the email service
  • DKIM pass rate drops in DMARC reports
  • New selectors appearing in report data

Management Modes

NS Delegation

Full control via Route53-hosted DNS zone. DMARC Busta generates, publishes, rotates, and retires DKIM keys automatically.

CNAME Delegation

CNAME records point selectors to your email provider (Google, Microsoft, SendGrid). The provider manages the actual keys.

Monitor Only

DMARC Busta monitors selectors and alerts on issues, but does not modify DNS records. You manage keys in your email provider.

Tip

Most email services (Microsoft 365, Google Workspace, SendGrid, etc.) manage their own DKIM keys. DMARC Busta monitors these selectors and alerts you if keys break or go missing. You typically do not need to create DKIM keys manually unless you run your own mail server.

Previous
Rollback Procedures
Next
Security Page Guide

Related Articles

Zero Data in AI Insights

Declining Compliance

Cannot Approve Source
← Back to Documentation