You have to add new email-addresses for your new domain in your LDAP-directory. But the new email-address does not match the old email address on the key, thus the key needs to be updated.
The Symantec Encryption Management Server can update your keys automatically, but in order to do so, you need to follow some steps.
1) add your new managed domain, for example "newdomain.com", to the list of the managed domains on the Server under "Consumers/Managed Domains"
2) the server automatically checks your client's group memberships on the LDAP-Server twice a day and should find attribute-changes. You may want to prefer a manual regroup though.
To do so, open a group on the Symantec Encryption Management Server and click in the "Group Settings" on "Save". Depending on your directory layout and size this can take some minutes.
3) now check the user record on the server (not the users key). It should have been updated already with the new email-address.
4) check the SKM keys, they should be updated already.
5) for GKM- and SCKM-keys, be sure that the client enters the key-passphrase afterwards. The passphrase request could be triggered with an attempt to decrypt or sign data (for example have the user display an encrypted mail).
The GKM- or SCKM-key should now be updated on the client as well. The key will be uploaded to the server with the next policy update. You can also do this manually by right-clicking the key on the client and synchronize it.
Symantec Encryption Management Server that manages internal user keys or clients with keys.