Rotate DKIM keys without email delivery downtime

Verified steps

1. Choose a new selector name that encodes the rotation period (for example s2026q3) so logs and headers are self-documenting; the selector appears in the DKIM-Signature header as s= and in DNS as s2026q3._domainkey.yourdomain.com.
2. Generate a new 2048-bit RSA key pair (or Ed25519 if your signing software supports it); publish the new public key as a TXT record under the new selector before touching any signing configuration.
3. Lower the TTL on both old and new selector records to 300–900 seconds several days before the cutover so DNS changes propagate quickly during the rotation window.
4. Switch your MTA or ESP signing configuration to use the new selector; keep the old selector record in DNS and verify that receiving servers can still validate messages signed with either selector (dual-signing window of at least 72 hours).
5. After the dual-signing window, remove the old private key from your MTA and optionally revoke the old DNS record by replacing its value with p= (an empty p tag signals key revocation per RFC 6376).
6. Rotate at minimum every six months; M3AAWG recommends quarterly rotation for organisations at scale; coordinate with any third-party ESPs that sign on your behalf.