BLOG

How long is your DKIM key?

November 6, 2012 by in Industry

While we were at M3AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.

Fair enough.

If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.

This morning M3AAWG published recommendations on keeping DKIM keys secure.

  • Updating to a minimum 1024-bit key length.  Shorter keys can be cracked in 72 hours using inexpensive cloud services
  • Rotating keys quarterly
  • Setting signatures to expire after the current key rotation period and revoking old keys in the DNS
  • Using the key test mode only for a short time period and revoking the test key after the ramp-up
  • Implementing DMARC in monitoring mode and using DNS to monitor how frequently keys are queried. DMARC (Domain-based Message Authentication, Reporting and Conformance) is another standard often used in conjunction with DKIM
  • Using DKIM rather than Domain Keys, which is a depreciated protocol
  • Working with any third parties hired to send a company’s email to ensure they are adhering to these best practices

M3AAWG

Google took a good step in encouraging folks to upgrade to more secure keys. According to Return Path Gmail is currently failing DKIM for any key 512 and shorter. Keys between 512 and 1024 are still validating, but Gmail will start failing any keys smaller than 1024 in the near future.

 

5 comments

  1. Martijn says

    I think it’s good to mention here that, assuming Google does things the proper way, “failing DKIM” means they will pretend there is no DKIM key. They will not “fail” (i.e. block or bounce) the messages themselves. So if you’re reading this and your key length is 512 bits, you don’t have to fix it tonight, you can fix it first thing in the morning.

    November 6, 2012, 1:39 pm
  2. protodave says

    After that vulnerability was reported I wrote tool to check DKIM TXT records and determine their key length so you can see if you are using a short key (less than 1024 bits):
    http://www.protodave.com/tools/dkim-key-checker/

    November 7, 2012, 10:11 am
  3. Kent says

    protodave, that’s a great little tool for checking DKIM keys….thanks.

    November 7, 2012, 4:09 pm
  4. Kathy says

    you mean this article?
    http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/

    November 7, 2012, 7:44 pm
    1. laura says

      Yup. I even linked to it in my blog post.

      November 8, 2012, 7:29 am

Comment:

Your email address will not be published. Required fields are marked *

Data Driven Email (and other) MarketingMarketing and storms

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments

Archives