{
  "$schema": "https://schemas.nightboxllc.com/dkim-rotation-policy/v1.json",
  "domain": "nightboxllc.com",
  "version": "1.0.0",
  "updated": "2026-05-08",
  "policy_owner": "Nightbox LLC (UEI UHCAB6UXXKF2)",
  "scope": "DKIM key lifecycle policy for nightboxllc.com. Aligned to NIST SP 800-177 Rev. 2 §4.5 (DKIM key rotation guidance) and M3AAWG Sender Best Common Practices §6.",
  "current_key": {
    "selector": "google",
    "fqdn": "google._domainkey.nightboxllc.com",
    "algorithm": "rsa-sha256",
    "key_length_bits": 2048,
    "managed_by": "Google Workspace",
    "deployed": "2026-04-30",
    "scheduled_rotation": "2026-10-30"
  },
  "rotation_cadence": {
    "interval_days": 180,
    "rationale": "180 days is the M3AAWG-recommended ceiling; aligns with NIST SP 800-177 Rev. 2 guidance to rotate DKIM keys 'frequently' and not exceed annual rotation.",
    "trigger_events_for_immediate_rotation": [
      "Suspected key compromise",
      "Departure of personnel with key access",
      "Detection of unauthorized DKIM-signed mail in DMARC aggregate reports",
      "Cryptographic algorithm deprecation"
    ]
  },
  "rotation_procedure": {
    "method": "Google Workspace Admin Console > Apps > Google Workspace > Gmail > Authenticate Email > Generate New Record",
    "overlap_window_days": 7,
    "overlap_strategy": "Run new selector alongside old selector for 7 days; switch DNS to new selector; observe DMARC aggregate reports for failures; retire old selector after 14 days clean."
  },
  "audit_trail": {
    "log_retention_days": 1095,
    "log_location": "internal-only (available to federal contracting officers under NDA)"
  },
  "compliance_alignment": {
    "nist_sp_800_177r2": "Section 4.5",
    "m3aawg_bcp": "Sender Best Common Practices §6",
    "rfc_6376": "DKIM Signatures (base spec)",
    "rfc_8463": "Ed25519 DKIM Signatures (planned secondary key, target 2027)"
  },
  "future_roadmap": {
    "ed25519_secondary_selector": {
      "target_date": "2027-Q1",
      "rationale": "Add RFC 8463 Ed25519 secondary DKIM selector alongside existing 2048-bit RSA. Smaller signatures (~64 bytes vs 256 bytes), faster verification, post-quantum-adjacent.",
      "blocker": "Google Workspace Ed25519 DKIM not yet GA as of 2026-05; tracking https://workspaceupdates.googleblog.com/"
    }
  },
  "disclaimer": "Self-attested. Federal contracting officers verifying DKIM posture should independently retrieve the live DKIM record and confirm its key length and algorithm:  dig +short TXT google._domainkey.nightboxllc.com"
}