How long is your DKIM key?

While we were at M3AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.
Fair enough.
If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.
This morning M3AAWG published recommendations on keeping DKIM keys secure.

  • Updating to a minimum 1024-bit key length.  Shorter keys can be cracked in 72 hours using inexpensive cloud services
  • Rotating keys quarterly
  • Setting signatures to expire after the current key rotation period and revoking old keys in the DNS
  • Using the key test mode only for a short time period and revoking the test key after the ramp-up
  • Implementing DMARC in monitoring mode and using DNS to monitor how frequently keys are queried. DMARC (Domain-based Message Authentication, Reporting and Conformance) is another standard often used in conjunction with DKIM
  • Using DKIM rather than Domain Keys, which is a depreciated protocol
  • Working with any third parties hired to send a company’s email to ensure they are adhering to these best practices

M3AAWG

Google took a good step in encouraging folks to upgrade to more secure keys. According to Return Path Gmail is currently failing DKIM for any key 512 and shorter. Keys between 512 and 1024 are still validating, but Gmail will start failing any keys smaller than 1024 in the near future.
 

Related Posts

Gmail and the bulk folder

Earlier this week Gmail announced they were providing reasons for why they delivered a particular mail to the bulk folder. I’m sure a lot of senders are rejoicing over the clear feedback. After all this is exactly what they’ve been asking for “tell us why you’re filtering our mail and we’ll fix it.”
I am not sure, however, that this is going to help the majority of senders seeing mail going to the bulk folder. On the Gmail support pages, they list a number of the explanations they’re be providing.

Read More

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.
 

Read More

Gmail filtering

Derek Harding has a pair of articles on ClickZ about Gmail giving their users information about why a particular email message was filtered.
What Gmail Teaches Us about Spam Filtering
Gmail Filtering: The Spam Disposition
Both articles are worth a read. They talk about what we know about Gmail and what we can infer from the data they provide to senders.

Read More