[disiplus]

why do you need CA when you control the domain. if somebody can take over your domain you or the reciever has a bigger problem. im not sure what do you get with key rotation that you would not get with using proper length keys.

[brightball]

If somebody gets the original key by any means, they can impersonate your domain in emails because the corresponding public key is sitting in your DNS to validate the message unless you change it. The length of the key only reduces the chance of finding it by brute force. If anybody gets a hold of the key by any other means (compromised mail server or other vulnerability) they can still impersonate you no matter how long the key was...because they'll have it.

If the length of the key effects the time it would take to crack it, rotating the keys gives them a usage window so you'd have to be able to crack / obtain it within that window of time for it to be useful.

For many sites this probably doesn't seem like a big deal. For sites that deal with heavy phishing attempts though, these precautions are really important.

[disiplus]

im still not convinced. if somebody breaks 2048bit we all have bigger problems. and if somebody compromises your mail server i assume you would like to know and not only let the keys rotate via cron and call it a day.

[brightball]

Either way, when you can solve the problem with an extra DNS entry it's a better solution.