* Esteban L.: > Trying to figure this out with as little disruption as possible.
I sugest you do the following, in order: * Generate new key. * Add new key's data, using a new DKIM selector, to your DNS. * Wait for your domain zone's DNS TTL to expire (typically 1-2 days). * Switch to signing with the new key. * Wait another 1-2 days, in case messages signed with the previous key are still in limbo somewhere (low risk of that, but still). * Remove old key's data from DNS. As long as you make sure to use a different DKIM selector for each key, that should suffice for a key rollover. -Ralph
