BLOG

Gmail sending out warnings for 512 bit DKIM keys

November 9, 2012 by in Industry

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Hello,

We noticed that your domain is sending email to Gmail users that is DKIM signed with a 512-bit RSA key. RFC 6376 requires DKIM signing mail using RSA keys of at least 1024-bits for long-lived keys (https://tools.ietf.org/html/rfc6376#section-3.3.3). Shorter keys could be factored by an attacker. As you may know, this attack has been publicly reported. US-CERT has also issued an advisory to upgrade all keys lower than 1024-bits (http://www.kb.cert.org/vuls/id/268267).

As such, we strongly encourage you to upgrade your RSA keys to be at least 1024-bits long.

To best protect our users, Gmail will begin treating emails signed with 512-bit keys as unsigned in about a week. If you continue to use your current key, your messages will not DKIM authenticate.

Affected key:
example._domainkey.example.com descriptive text “k=rsa; p=AKDA3adkelLHaK653IuYD aVgIFc/FBvErvNOkCAwEAAQ==;”

Thank you,
Gmail Team

7 comments

  1. Daniel Gibby says

    I think Google has incorrectly sent me the email. I updated my DKIM to a 1024 bit key this week; after which Google emailed me telling me that my new key was 512 bytes,but they included the new 1024 bit key in the email.

    I double checked that the key I am setup with is 1024 by using this tool, and it says it is 1024:
    http://www.protodave.com/tools/dkim-key-checker/

    Key Length (bits): 1024
    Version:
    Key Type: rsa
    Notes:
    Public Key:

    —–BEGIN PUBLIC KEY—–
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDuhTYX1HJv3JKy24WzyTBNKcP3JswarPzWod477h
    UJrpj1R6a0boD/q73TAocf5W5CDPh1LOm5tx0h7AQRnKoOnSBxST6JFIjIFTrvUfjH/DgOuWVCyB53
    zHaXK9cAcCp0ZpDiops0wRINoCHjPltZ7hIEP7VyNLLww8w2ZBtw0QIDAQAB
    —–END PUBLIC KEY—–

    That looks like a 1024 bit key to me. The 512 bit key was visibly shorter, about half as short in fact.

    I think Google may have looked through past email, but in the email sent out the current key, not the key that had been in the emails I sent before the upgrade.

    November 9, 2012, 3:13 pm
  2. Neil Schwartzman says

    at least one of my accounts is losing email today (spamcop reports, password resets). Cause and effect? Time will tell.

    November 10, 2012, 7:55 pm
  3. Neil Schwartzman says

    Update: there seemingly some significant delays with one of my Gmail accounts for at least the past 24 hours, but I did get the backlog all in a clump around 22:30 last evening. Doesn’t appear to be DKIM related, as spamcop user confirmation reports as signed by DK not DKIM (!)

    November 11, 2012, 7:03 am
  4. dialogue1 E-Mail-Marketing Blog says

    Gmail wird wählerisch bei DKIM…

    In wenigen Tagen beginnt Gmail damit, zu lasch verschlüsselte DKIM-Signaturen in E-Mails zu ignorieren – und wie fehlende Signaturen zu behandeln. (siehe Artikel in Word to the Wise) Damit sind vor allem 512-bit RSA-Schlüssel gemeint, die sich ja per B…

    November 14, 2012, 5:08 am
  5. Network Support Essex and London says

    Network Support Essex and London…

    Gmail sending out warnings for 512 bit DKIM keys – Word to the Wise…

    November 14, 2012, 7:28 pm
  6. DKIM and Gmail – Word to the Wise says

    […] Gmail seem to be requiring in order for them to consider your mail DKIM signed, based either on statements from Google or watching what Gmail does with badly signed […]

    November 28, 2012, 2:11 pm
  7. DKIM-Pflicht für CSA-zertifizierte E-Mails ab dem 10. Juni Campfire says

    […] groß sein. Empfohlen wird eine Stärke von mindestens 1014 Bit. Alles was darunter ist, behandelt Gmail als nicht signiert. Wer den Schlüssel knackt, kann unter fremdem Namen signierte Phishingmails versenden. Und der […]

    May 16, 2014, 7:43 am

Comment:

Your email address will not be published. Required fields are marked *

Return Path announces new abuse prevention serviceIs Google failing DKIM keys shorter than 512 bits?

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments

Archives