Do you find it necessary to regenerate your DKIM keys every 1-6 months to avoid your mail going into the receiving servers' junk mail folder?
Some guides recommend this, some even say it's "Best Practice" to do so, but most other guides don't mention it at all. Evidently it is Best Practice to do so, but what is your real world experience?
Just modernized my old Debian 7 Postfix server to include DKIM + DMARC (+ SPF) and want to know if I should be doing ongoing maintenance to regenerate the keys.
What are most people doing? What are your real world experiences? Have you noticed old keys being the cause of your mail being sent to the junk folder?
I'm a low-volume sender, maybe 5-10 emails/day get sent through my server.
Is it necessary to rotate DKIM keys?
Only so far as it is necessary to regularily train all other disaster recover procedures. It is certainly helpful to just do it regularily, but for most (smaller) operations, monthly rotations would be way overkill and steal away resources from other, more important regular checks & drills.
There used to be an argument about people factoring (learning the keys without compromising your server) the keys, but you should not be using old algorithms with short keys anyway (These days, you can transport >=1024 bit RSA keys over DNS, and more recently
ed25519
has been proposed as the next algorithm as RSA looks increasingly slow & bulky in comparison).But what if recipients interpret my rare key rotations as a spam signal?
If I were to utilize DKIM key age as a parameter in my spam filtering, I would assign a negative score to recently first-seen keys, because that happens to more strongly correlated with spam content.
But even if this is not the case for other recipients, its probably not one of the signals most would care about, in terms of effect size. There are almost infinitely stronger indicators for shady or badly maintained operations, it is rarely necessary to even look at the age of the utilized DKIM key when you can look at much simpler and much stronger indicators.
For a detailed discussion of the things that are stronger indicators see the canonical question about fighting spam
What are your real world experiences?
Some recipients keep a list of indicators (IPs, Networks, names, naming patterns(!), dkim keys) and derive reputation data from correlating them. Those recipients may less likely cause trouble for you if you avoid changing both DKIM keys and IP addresses at once - as long as there is overlap, they can automatically assume both are owned by the same party. If they do not realize the new key is owned by the same party, you will be treated as unknown, and in terms of spam filtering, unknown means stricter filters.
Have you noticed old keys being the cause of your mail being sent to the junk folder?
Only in the context of old keys no longer fulfilling the minimum requirements (RSA keys shorter than 1024 bits are no longer deemed useful for everyone). This is, however unrelated to the actual key age, just happens to be more likely for keys generated before such large keys could be reliably transported in DNS.