Skip to content
Mailgun Email API
/
User Manual
/
API Key Management and Security
/
DKIM Security
Last updated

API Domain Key Management and Security

Email API keys allow secure access to email services and data. They enable sending emails, managing contacts, and integrating email functionalities into applications. Proper management of these keys ensures smooth operation, protects against unauthorized access, and maintains the security of sensitive information.

DKIM Security

DKIM (DomainKeys Identified Mail) is the practice of regularly updating cryptographic keys used for signing emails to maintain security and protect against key compromise. Just like with passwords, your DKIM key is vulnerable to compromises, and best practices state that you should rotate your DKIM key at least every 6 months, and immediately if your key is compromised.

When you set up an authenticated domain, Mailgun provides two methods for rotating your key:

  • Automatic, using Mailgun's automatic Sender Security feature.
  • Manual, manually rotate your DKIM keys on your schedule.

Automatic Sender Security

Mailgun's Automatic Sender Security feature simplifies email authentication by handling the technical setup and configuration automatically. This eliminates the need for manual key generation and DNS record adjustments, reducing errors and ensuring proper email authentication.It works by adding two CNAME records to your domain's DNS settings. These records delegate DKIM management to Mailgun, allowing automated rotation of your DKIM keys on a regular schedule. This approach enhances your email security, reduces manual maintenance, and ensures your authentication remains up-to-date without any ongoing effort on your part.

The host or name that you will provide your DNS provider will look something like pdk1._domainkey.my.domain.com and pdk2._domainkey.my.domain.com, while the target where you point back to Mailgun will look something like pdk1._domainkey.9d876.dkim1.mailgun.com and pdk2._domainkey.9d876.dkim1.mailgun.com.

Automatic Sender Security will generate two 2048 bit DKIM selector records via TXT records, which are automatically rotated every 120 days by default. You can adjust the rotation period if you'd like. The minimum interval for rotation is 5 days.

New Sending Domains

When adding a new domain, you will the option to use Automatic Sender Security.

Existing Sending Domains

If you have an existing sending domain already utilizing DKIM via a TXT record and want to switch to using Automatic Sender Security, this is possible from the DNS records page on the Mailgun application.

Manual DKIM Rotation

You have the option to manually rotate your DKIM keys on your own schedule. Mailgun allows for signing messages with up to 3 DKIM keys. If multiple active keys are present on a sending domain, we use a round-robin method for determining which key is used to send the message.

There are 2 methods for adding a new DKIM key. In either case you'll want to choose a unique selector (must be unique to the sending domain).

  • Allow Mailgun to generate a DKIM key (Most common method)
  • Import and existing key via a valid PEM file (Advanced method)

Allowing Mailgun to generate the DKIM

You can choose to allow Mailgun to generate the DKIM key (most users will choose this method) In this case, you can choose the DKIM key length, either 1024 bit or 2048 bit. 2048 bit is more secure but can be a bit more complicated to setup as the record length is much longer, and DNS providers require you to split the record into 2 parts.

In the case of a key rotation or an upgrade from a 1024 bit key to a 2048 bit key, it is recommended to send a test message to yourself to verify messages are being signed with the new key (you may need to send several test messages), and then delete the old key.

Learn more about DKIM key rotation

Go to our Domain Security API

Go to our Domain Keys API

Previous page
Next page