Plan
Document selectors per domain, vendor and service using the provided CSV tracker.
- Assign owners
- Record TTLs
- Set renewal dates
Lifecycle management
Publish
Generate 2048-bit keys, publish via DNS and validate using dmarciq’s DKIM tester.
Example CNAME
m365-2024._domainkey.example.com CNAME selector1-example-com._domainkey.dmarciq.host
Rotate
Generate a new selector, update DNS, wait for propagation, then decommission the legacy selector after 48 hours.
Reminder: update any transport rules and third-party integrations.
Troubleshooting matrix
Selector not found
Check DNS record type (TXT vs CNAME) and ensure propagation by querying authoritative name servers.
Signature fails
Confirm the selector matches the signing service and verify canonicalisation settings (relaxed/relaxed).
Key too small
Upgrade to 2048-bit keys and update all references.
Multiple selectors confusion
Use dmarciq rotation log to track active selectors and label legacy ones for removal.
DKIM rotation checklist
- New selector published and validated.
- Legacy selector disabled after monitoring window.
- Change log updated with timestamps and approvals.
- Stakeholders notified using assurance letter template.