Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services.
Keys should be rotated at least once per year to reduce the period of time the key could be maliciously used to compromise the integrity of email. Here is a great document on DKIM key rotation:
Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)
The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.
To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
DomainKeys is a deprecated protocol; use DKIM instead. (See: What is the difference between DomainKeys and DKIM?)
Deprecate the use of SHA1 for hashing and move to SHA256 as per RFC 6376, Section 3.3.
Third Party Mailers:
Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.
Create a free OnDMARC account to view your DKIM functionality.