Rotating Your DKIM Key in AcelleMail — How to Publish a Fresh Key

What this is for#

You want to replace the DKIM key AcelleMail uses to sign your mail — maybe your DNS host had a security incident, maybe you're following a compliance policy, or maybe you're just doing routine cryptographic housekeeping. This guide shows the actual path AcelleMail gives you for that.

Set expectations first. AcelleMail does not have a "Rotate key" button, a dual-signing mode, or a per-key selector picker. When you add a sending domain, AcelleMail generates one DKIM keypair and binds it to that domain permanently — there is no Edit or Update on a sending domain for exactly this reason (renaming or re-keying in place would silently break verification and signing).

So "rotating" in AcelleMail means one concrete thing: delete the domain, re-add it (which generates a brand-new key), publish the new DKIM record at your DNS host, and re-verify. That's the whole playbook. The rest of this article is how to do that with the least delivery disruption.

Before you start#

• You'll need access to your DNS host (Cloudflare, Route 53, Namecheap, GoDaddy, etc.) — you'll edit one TXT record there.
• Pick a low-traffic window. There's a short gap between deleting/re-adding the domain and your new record verifying, during which fresh sends from that domain won't carry a passing DKIM signature.
• Know your domain's exact name as it appears under Sending → Sending domains (e.g. mail.brand.com).

How AcelleMail's DKIM actually works#

Worth understanding before you touch anything, because it changes the steps.

• When you add a sending domain, AcelleMail generates an RSA keypair locally and stores the private key. It builds the DNS records you need to publish — including the DKIM record.
• The DKIM record AcelleMail asks you to publish is a TXT record at selector._domainkey.yourdomain.com. (CNAME-style DKIM is something only certain external sending vendors use — for a domain AcelleMail signs itself, it's a TXT record containing the public key.)
• The selector is a single value set for your whole install (it defaults to acelle). It's the same for every domain you add. That matters for rotation: because the selector stays the same, your new DKIM TXT record sits at the same host name as the old one — so re-adding replaces the public key at one address rather than creating a second parallel record.

That last point is the key insight. There's no "old key + new key both live" period in AcelleMail. You swap the public key at one DNS host name and re-verify.

Step 1 — Open Sending domains#

In AcelleMail's sidebar, go to Sending → Sending domains. The page is titled Sending Domains and lists every domain you've added with a Verified / Unverified status.

This is your starting point. Note the domain you're about to rotate — you'll re-create it with the exact same name in a moment.

Step 2 — Note your current DNS records (so you can compare later)#

Click the domain name in the list to open its detail page (titled Domain authentication). You'll see:

• A status badge — Verified (green) or Unverified (orange).
• A DNS records card listing each record you need to publish, grouped by purpose. For a domain AcelleMail signs itself, that's Domain identity (the ownership TXT record) and DKIM signature (the TXT record carrying the public key). An SPF record row also appears if your administrator has configured a global SPF value for the install. Each row has a Type, Host, Value, and a per-record Verified / Pending status.

Take a screenshot or copy the current DKIM signature row's Value. After you re-add the domain, you'll compare the new DKIM TXT value against this one — they should differ (that's how you know you got a fresh key).

Step 3 — Delete the domain#

Back on Sending → Sending domains, select the domain's checkbox. A bulk-action bar appears with a Delete button. Click it and confirm — AcelleMail warns "Delete selected sending domains? This cannot be undone."

Deleting removes AcelleMail's record of the domain and its old private key. Your DNS records still physically exist at your host until you change them — deleting in AcelleMail doesn't touch your DNS.

Heads up: from this moment until Step 6 completes, mail you send from this domain won't sign with a valid DKIM key. Keep the window short.

Step 4 — Re-add the domain (this generates the new key)#

Click Add domain. A popup appears with a single field — the domain name. Type the exact same domain you just deleted (e.g. mail.brand.com) and submit.

AcelleMail generates a fresh DKIM keypair for the domain and lands you back on the Domain authentication detail page, now showing Unverified with a fresh set of DNS records to publish.

Step 5 — Publish the new DKIM record at your DNS host#

On the detail page, the DNS records card shows the records to publish. The one that changed is the DKIM signature row — same Host as before (because the selector is unchanged), but a new Value (the new public key).

At your DNS host:

1. Find the existing DKIM TXT record at that host name (selector._domainkey.yourdomain.com).
2. Update its value to the new value AcelleMail shows. Copy the Value field verbatim — DKIM TXT values are long and a single dropped character breaks the signature.
3. Save.

Because the host name is identical, you're editing one record, not adding a second. If your DNS host won't let you edit in place, delete the old TXT and create a new one at the same name with the new value.

The card also shows the Domain identity (ownership) row, and an SPF row if your install has one configured. If AcelleMail shows a new ownership token after re-adding, update that record too; if it's unchanged, leave it.

Step 6 — Re-verify#

On the Domain authentication page, click Verify DNS records in the page header. AcelleMail queries your DNS and re-checks every record. While it works the button shows "Verifying...".

• All records confirmed → "Domain verified successfully! All DNS records are confirmed." and the status badge flips to Verified.
• Still propagating → "Verification in progress. Some DNS records are still pending — this can take up to 48 hours."

DNS changes take anywhere from 15 minutes to 48 hours to propagate worldwide (AcelleMail's own guide cards say this). If your DKIM row still shows Pending, wait and click Verify DNS records again — you can re-check as often as you like.

Step 7 — Confirm the new key is signing#

Once the domain reads Verified, send yourself a test campaign from an address on that domain. In Gmail, open the message → ⋮ → Show original and look at the DKIM-Signature: line:

• d= should be your domain.
• s= should be your install's selector (the same one as before — the selector doesn't change; the key behind it did).
• The header should show dkim=pass.

That's the whole rotation. There's exactly one DKIM-Signature header (AcelleMail signs with one key), and it now uses your fresh keypair.

Common issues#

When to rotate#

There's no enforced schedule and no app reminder, so this is your call:

• Rotate now if your DNS host had a security incident, or a compliance audit requires it.
• Routine rotation (e.g. once a year) is reasonable cryptographic hygiene but optional.
• Don't rotate during a critical send window (a big launch, a seasonal campaign). The short verify gap in Step 3–6 means fresh sends temporarily lose a passing DKIM signature — do it on a quiet day.

If you run several sending domains, rotate them one at a time and confirm each reads Verified before starting the next — far easier to debug than a batch.

What to do after#

• Confirm the domain reads Verified and a test email shows dkim=pass (Step 7).
• Re-check your overall authentication posture — see How to Set Up SPF, DKIM, and DMARC Records.
• Keep an eye on delivery for a day or two after the swap via Sender Reputation Monitoring Stack for AcelleMail.

Related articles#

• How to Set Up SPF, DKIM, and DMARC Records — The Basics
• Complete DNS Setup for Email Sending — The 6 Records You Need
• DNS Propagation Explained — When Will My Records Be Live?
• Sender Reputation Monitoring Stack for AcelleMail