1. Log in to Client Admin Portal, locate your Outbound SMTP service, and choose "Sending Domains" from the Configuration menu on the left.



  2. From the table of sending domains, click the one you wish to rotate the DKIM key for:


    This will open the configuration page for that domain:



  3. To start the rotation of the DKIM Key click the link below the current DKIM  record:

    IMPORTANT: to perform a rotation, your existing key must be active and valid. If it is not, you must complete configuration and validation of the existing key before you can rotate it.

    A new section will appear at the bottom of the DKIM panel:

    Choose the key strength desired for your new key, and click the "Start new key rotation" button.


  4. The panel will update, displaying the required DNS record for the new DKIM key:


    Create the required record in your DNS, then use the "Retry DKIM check" button to validate it.

    If there is an issue with the detected record, it will be displayed under the Verified? line:

    Once your record successfully validates (1) click the "Rotate now" button (2) to complete the rotation:

    The "Next Key" sub-panel you were working in will close, your Live Key details will update to show the newly-created key, and a success banner will appear:

    The rotation is complete!

    NOTE: DO NOT DELETE DNS RECORDS FOR YOUR OLD KEY YET, if you had been recently sending mail using it. It is recommended to wait a period of time (1-7 days) before removing the DKIM TXT record for the key you just replaced from your domain's DNS. This allows any mail which was already sent and signed with that key to reach its final destination. If the DKIM key DNS record is removed while some mail is still in transit to its destination, that mail may be rejected since the DKIM signature on it cannot be validated without that DNS record.


  5. Check that your mail is being signed.  If you see this in your DKIM panel:


    you will need to click the "Turn on signing" button to enable DKIM signing of outgoing mail.

    If your mail is being signed, you will see this instead:


    indicating that your outgoing mail is being signed using the key shown.