Gmail sending out warnings for 512 bit DKIM keys

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Hello,

We noticed that your domain is sending email to Gmail users that is DKIM signed with a 512-bit RSA key. RFC 6376 requires DKIM signing mail using RSA keys of at least 1024-bits for long-lived keys (https://tools.ietf.org/html/rfc6376#section-3.3.3). Shorter keys could be factored by an attacker. As you may know, this attack has been publicly reported. US-CERT has also issued an advisory to upgrade all keys lower than 1024-bits (http://www.kb.cert.org/vuls/id/268267).

As such, we strongly encourage you to upgrade your RSA keys to be at least 1024-bits long.

To best protect our users, Gmail will begin treating emails signed with 512-bit keys as unsigned in about a week. If you continue to use your current key, your messages will not DKIM authenticate.

Affected key:
example._domainkey.example.com descriptive text “k=rsa; p=AKDA3adkelLHaK653IuYD aVgIFc/FBvErvNOkCAwEAAQ==;”

Thank you,
Gmail Team

Is Google failing DKIM keys shorter than 512 bits?
Return Path announces new abuse prevention service

Related Posts

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.
 

Read More

Getting rid of the via at Gmail

There was a question submitted today about the verification process at Gmail.

Read More

Gmail and the via

I was hoping to have a detailed post up today about the conditions where gmail presents the user with a “via” but time seems to have gotten away from me. But I can give you the conclusions.

Read More