For some reason I’d never considered that DKIM breaks deniability of emails. All this time I’ve been scoffing at people who GPG sign all their outgoing mail only to realise I’ve been doing the same thing just at a different level.
Solar Designer suggested years ago to use keys that could be relatively easy to factor and rotate them. I think I’d rather just turn off DKIM and be done with it but I think this will hurt deliverability. Maybe I just shouldn’t care, I’m unlikely to ever have my email dumped and have to plausibly deny any of them.
Or publish the private keys after each monthly/daily rotation? Limits provable exposure to the most recent emails.