How to know if DKIM is updated

user11 · October 17, 2022, 11:49am

I’m trying to use desec as name server for a domain. Our host also provides email services with DKIM. However sometimes the DKIM record changes.
Is there a standardized way to know when a DKIM record changes? I know the question might be vague, but I’m not sure where to look for further information.

peter · October 17, 2022, 12:18pm

Hi,

Thanks for your message, and welcome to deSEC!

What do you mean by “DKIM record changes”?

Thanks,
Peter

user11 · October 17, 2022, 6:12pm

It seems the DKIM TXT entry is managed by my current email provider and domain host. I have observed that this DKIM entry changes once in a while. I don’t know if that is to be expected? That would imply I need to update the record on desec also.

peter · October 19, 2022, 12:59pm

What do you mean by “manage the TXT entry”?

For me to be able to help you, please provide a specific example of what changes, what your current records are, and who controls which records.

Stay secure,
Peter

user11 · October 19, 2022, 1:15pm

Hi @peter ,
thank you for trying to help.
As I understand, the DKIM records are needed for email, and thus need to be coordinated/managed by the email provider.
Is there some kind of “official” protocol of how an email provider signals changes to DKIM records?
My question is not about the records themselves, as I can easily put them into desec. It’s more: how do I know my DKIM record has been changed?

peter · October 19, 2022, 4:18pm

HI user11,

I guess that depends on your email provider, so I’m afraid I can’t help you. You should ask them if they can somehow let you know when a change is due.

Alternatively, if your email provider publishes DKIM TXT records themselves, you can point to them via CNAME or DNAME records. This way, changes will immediately apply to your domain as well.

Stay secure,
Peter

user11 · October 19, 2022, 5:37pm

Hi @peter ,
Thank you, that makes sense. Will inquire with my provider.

markus · October 22, 2022, 1:21pm

I am not aware of a standard for this. My email provider solves this by delegating the record to him via CNAME. This way, they can rotate the DKIM key at any time without me having to do anything.

It looks something like this on my end:

dkim._domainkey.mydomain.tld. IN CNAME dkim.provider.tld

If your email provider does not offer a CNAME for this, I would ask them how they handle this. Maybe there is a newsletter or something similar as soon as the DKIM key changes…