Key Length:
Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services.
Rotation:
Keys should be rotated at least once per year to reduce the period of time the key could be maliciously used to compromise the integrity of email. Here is a great document on DKIM key rotation:
Expiration:
Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)
Test Mode:
The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.
Monitoring:
To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
DomainKeys is a deprecated protocol; use DKIM instead. (See: What is the difference between DomainKeys and DKIM?)
Hashing Standards:
Deprecate the use of SHA1 for hashing and move to SHA256 as per RFC 6376, Section 3.3.
Third Party Mailers:
Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.
Create a free OnDMARC account to view your DKIM functionality.