Google, Microsoft and Yahoo are failing your DKIM keys? You’re not alone.
By now, just about everyone in the email/messaging/Internet world has heard about Zachary Harris, the mathematician in Florida who uncovered the fact that Google corporate was using weak 512-bit encryption in its email, and how that discovery has snowballed into most of the big ISPs now rejecting email signed with encryption keys less than 1,024 bits in length. You can read the original Wired story or this blogpost from Return Path’s Ken Takahashi for more context.
The whole episode is a good thing in that it’s shined a light on the problem that many senders are still using weak 512-bit or 768-bit encryption. Yet it’s a bad thing in that since many senders haven’t fully come into DKIM compliance yet (the DKIM standard calls for encryption keys at least 1,024 bits) they’re now seeing mailings fail. We’ve long advised our users to upgrade to the 1024-bit DKIM standard, and now it’s really no longer an option.
To upgrade the strength of your DKIM keys to 1024-bit, here are some helpful instructions:
First, MAAWG has published some best practices guidelines that provide a great starting point if you need to upgrade from 512-bit or 768-bit encryption:
- Use a minimum 1024-bit DKIM key length to increase key complexity, as shorter keys, such as 512-bit, are inadequate.
- Keys should be rotated quarterly to reduce the period of time the key could be used to compromise the integrity of email.
- Signatures should have an expiration period greater than your current key rotation period.
- The “t=y” declaration is for testing only.
- To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” (a.k.a. “monitoring mode”) policy.
- Domain Keys is a deprecated protocol; use DKIM instead.
- Organizations should be engaged with anyone sending mail on their behalf and ensure that their third party email service providers adhere to these same best practices.
Additionally, you’ll also want to decide if you are going to replace the DKIM keys and selector in place, or change over and start signing with new keys and selector. Starting to sign with new keys is probably the optimal decision. Replacing the keys in place will result in any messages that have already been signed, and are in the queue, to fail DKIM validation after you update your DNS record.
We have documentation on the DKIM module on our support site, and for any of our users, we recommend that you consult that material. If you have any questions, please contact our support team and we’ll be in touch.
Learn more about DMARC, the industry’s email authentication standard with our How DMARC Is Saving Email eBook.