Size Matters, DKIM

Email Athentication is Key

Authenticated and Approved

Over a year ago the talk of the town was 1024 bit DKIM / DomainKeys. The short story, if you’ve been hiding under a rock, is that a mathematician after receiving  a recruiting email from Google determined that it must be either a gag or a test given the weak key length. With the idea that it was a test he set about to proving his worth to Larry and Sergey using the hacked 512 key and impersonating them. Since then the world has moved on and the acceptable minimum length for DomainKeys used in DKIM signing has been set at 1024 bit.

Are you big enough

Is your existing DomainKey selector using an appropriately sized cryptographic pair? A simple check can be performed by inputing your selector and domain in this handy tool from Enter in your details for the big reveal. If you came out on the plus side, awesome. If your key pair is no longer sufficiently sized get to work updating it.

Rolling your own

There are a number of resources out there on the internet just a Google search away that will walk you step by step through the process of generating, extracting, and deploying your new 1024 private / public key pair. The most manual of these processes is to use openssl to roll your own. Many MTA vendors and deliverability tool sites have web based tools for generating the pair. One caveat, cleanup after yourself. Delete the pair from the site after you have gathered the data. Leaving your key pair out there on the open internet is just silly.

Doing what your ESP recommends

If you are using an ESP you should have been contacted to update the DomainKey selector already in place with an appropriately minimum 1024 bit key. The ESP will direct you to either publish a new selector in your DomainKey record or they may choose to have you remove the offending key outright and begin signing with 3rd party DKIM signatures.

ESP challenges

Third party signing comes with its challenges. The most significant being that you will not be able to fully utilize DMARC in protecting your domain from phishing and fraud. The third party signing results in misalignment of the DKIM signature which fails DKIM under the DMARC standard. DMARC allows for a strict and a relaxed interpretation. Both of these interpretations of DKIM and SPF however are tied to the domain being used to sign or authenticate being the same as that in the From and MailFrom receptively.

Engage your ESP

If your ESP is performing third party signing after having you remove an out of date selector, engage their deliverbility staff. Request that your email be signed using your domain. It’s a simple matter to deploy the public key in a new selector under your domain. It was how they got you signed with the 512 bit key in the first place 😉

Leave a Reply

Your email address will not be published. Required fields are marked *