I don’t know how this has to do with Google. I haven’t used GMail in a long time, so it’s hard to say how things are going there. GMail seems to be rotating the selectors; I recently received a message from someone in GMail, and when I look at the DKIM signature, the selectors remind me of a date without dashes. No wonder. In general: Of course DKIM (correctly, under normal circumstances) rotates regularly and keys overlap. (I’m talking about reasonable mail servers, not something done at the knee.) A recommendation that is common on the web (and which I also stand for) is to rotate selectors (and therefore DKIM keys) once a week and to have a current selector in DNSSEC, one future selector and two past selectors. It is hard to imagine that someone would want to verify DKIM 2 to 3 weeks after delivery, but DNS is usually in no hurry. Why rotation of selectors doesn’t matter or DKIM 101: There is a selector in a signed email. The selector is looked up in DNS (ie, DNSSEC; otherwise the whole thing is pointless). Searching the selector will yield the public key. The signature in the email is verified against the public key. This verifies that the SMTP server that sent the mail had access to the relevant private key. DNSSEC then guarantees that the selector itself (and the public key) is valid and not pushed by a third party (usually KSČM or DSSS). the fact that the selector is rotating can already be guessed from the headers of the mails where there is a DKIM signature… The validity of the selector (its availability in DNS) is short enough, because the DKIM signature is verified only when the mail is delivered to the destination SMTP server and then it doesn’t matter if the selector remains available or not. It’s quite possible (and in extreme cases it really is) that there will be a separate DKIM key pair and a new selector for *every* single message sent. It’s obviously nonsense and overkill and it doesn’t make… sense, but it *could* be, purely Because We Can. Therefore, DKIM can be rotated more often than regularly. Show full post
