DKIM Key Rotation

Several people have asked me about how to rotate DKIM keys in the past few days (as if you’re modifying anything to mitigate replay attacks, you need to invalidate the signatures of all the mail you sent before you made those changes).
 

 [icon name=”key” class=”2x spin”]

You really, really should be rotating your DKIM keys on a regular basis (monthly, weekly, quarterly?) in an automated way, so you shouldn’t need to be special-casing a change like this. Lots of people don’t, though, so here’s a quick summary of how to change your DKIM signing keys:

  1. Pick a new selector – either one that you’ve never used before, or (if you’re using ping-pong selectors) one that you’ve not used in the past week
  2. Generate a new key pair
  3. Add the new public key to your DNS servers
  4. Check that the new public key is visible on each of your public DNS servers
  5. Start signing outgoing mail with your new selector and new private key
  6. Wait 24 hours
  7. Delete the old public key from your DNS servers

DNS negative caching can cause some minor problems, if you’re not careful – if a DNS resolver queries for your public key before you’ve published it then it will cache that the key doesn’t exist for a short time. There are a few things to do to avoid that.
First, if you’re reusing a selector that you’ve ever used in the past then you should wait 24 hours after publishing the new public key before you start signing with the new private key. That will avoid having the nonexistent key cached at remote ISPs who happen to look it up based on an old message which used the same selector as your new keys.
Second, you shouldn’t manually look up the new public key in DNS before you know it’s published, so as to avoid you caching the nonexistent key in your own DNS caching resolver. That’ll cause mail you send to yourself or to other people at your company / ISP to fail DKIM validation, which is likely not a bad problem, but can make diagnosing signature failures difficult.
If you need to look for the key in DNS before it’s published (for example, to make sure that changes have published to your external DNS servers) you can avoid that by querying the authoritative servers directly (e.g. using @your.name.server with dig, or “host -t txt foo._domainkey.example.com your.name.server” with host).
You should probably avoid using web-based lookup tools to check your key records before they’re published too, for the same reason – but you can safely use our validation tools (as they only cache results for a maximum of sixty seconds).
Happy rotating!
 

 [icon name=”key” class=”2x spin”]

 

Related Posts

Gmail sending out warnings for 512 bit DKIM keys

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Read More

Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Read More

DKIM and injected headers

If you look at the DKIM-Signature header in any piece of email signed with DKIM you’ll see that one of the fields it contains, the h= field, lists some email header names, for example:

Read More