As with your house keys, DKIM keys should be carefully protected. In contrast to house keys, you can’t really know you have lost DKIM keys for your server and need to replace them. Best practices state that it is best to rotate the keys at least every three months.
Pick a new selector, one that you have never used before, or one you have not
used in previous rotation. I rotate DKIM monthly, so I will pick the current
year and month: 201903.
rspamadm dkim_keygen -b 2048 -s 201903 -k /var/lib/rspamd/dkim/201903.key > /var/lib/rspamd/dkim/201903.txt
This will create two files. 201903.key that contains the private key and 201903.txt that contains the DNS entry you should put into your zone.
2048 bits is the recommended length of the key, if your DNS supports entries of this size. Otherwise lower it to minimum 1024 bit, anything less is considered unsafe. No really, in 2015 you could crack a 512-bit RSA key for mere $75 and 4 hours (source), so forget about that. On the other hand, take for example 2048-bit key and see how that goes here.
Prepare the TXT record to add to DNS:
cat /var/lib/rspamd/dkim/201903.txt | tr '\t' '\"' | tr '\n' '\"' | sed 's/\"//g'
Add the record to your DNS zone:
201903._domainkey.domain.org IN TXT v=DKIM1; k=rsa; p=...
Check that the new DNS record is visible and propagated:
dig @your-name-server 201903._domainkey.domain.org
If you are reusing a selector, wait 24h for proper DNS propagation. Avoid using web-based lookup tools to avoid negative caching.
When you confirm the propagation, you may continue.
Change the selector used for signing to the newly created one (with -s ):
vim /etc/rspamd/local.d/dkim_signing.conf
Copy the file as ARC module uses the same config, or edit the file by hand and set up the selector:
cp -R /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
Reload the rspamd service:
service rspamd reload
Test the new keys using Mail-tester.com or similar.
After 24h delete the old key/record from yout DNS zone.
As SMTP standard says that mail servers can take a week before timing out, a more conservative approach would be to delete the old record after 7 days.