How to know if DKIM is updated

I’m trying to use desec as name server for a domain. Our host also provides email services with DKIM. However sometimes the DKIM record changes.
Is there a standardized way to know when a DKIM record changes? I know the question might be vague, but I’m not sure where to look for further information.


Thanks for your message, and welcome to deSEC! :slight_smile:

What do you mean by “DKIM record changes”?


It seems the DKIM TXT entry is managed by my current email provider and domain host. I have observed that this DKIM entry changes once in a while. I don’t know if that is to be expected? That would imply I need to update the record on desec also.

What do you mean by “manage the TXT entry”?

For me to be able to help you, please provide a specific example of what changes, what your current records are, and who controls which records.

Stay secure,

Hi @peter ,
thank you for trying to help.
As I understand, the DKIM records are needed for email, and thus need to be coordinated/managed by the email provider.
Is there some kind of “official” protocol of how an email provider signals changes to DKIM records?
My question is not about the records themselves, as I can easily put them into desec. It’s more: how do I know my DKIM record has been changed?

HI user11,

I guess that depends on your email provider, so I’m afraid I can’t help you. You should ask them if they can somehow let you know when a change is due.

Alternatively, if your email provider publishes DKIM TXT records themselves, you can point to them via CNAME or DNAME records. This way, changes will immediately apply to your domain as well.

Stay secure,

Hi @peter ,
Thank you, that makes sense. Will inquire with my provider.

I am not aware of a standard for this. My email provider solves this by delegating the record to him via CNAME. This way, they can rotate the DKIM key at any time without me having to do anything.

It looks something like this on my end:

dkim._domainkey.mydomain.tld. IN CNAME dkim.provider.tld

If your email provider does not offer a CNAME for this, I would ask them how they handle this. Maybe there is a newsletter or something similar as soon as the DKIM key changes…