Converting to 1024-bit DKIM

Mike Hillyer
Nov. 8, 2012 by Mike Hillyer

Google, Microsoft and Yahoo are failing your DKIM keys? You’re not alone.

By now, just about everyone in the email/messaging/Internet world has heard about Zachary Harris, the mathematician in Florida who uncovered the fact that Google corporate was using weak  512-bit encryption in its email, and how that discovery has snowballed into most of the big ISPs now rejecting email signed with encryption keys less than 1,024 bits in length. You can read the original Wired story or this blogpost from Return Path’s Ken Takahashi for more context.

The whole episode is a good thing in that it’s shined a light on the problem that many senders are still using weak 512-bit or 768-bit encryption. Yet it’s a bad thing in that since many senders haven’t fully come into DKIM compliance yet (the DKIM standard calls for encryption keys at least 1,024 bits) they’re now seeing mailings fail. We’ve long advised our users to upgrade to the 1024-bit DKIM standard, and now it’s really no longer an option.

To upgrade the strength of your DKIM keys to 1024-bit, here are some helpful instructions:

First, MAAWG has published some best practices guidelines that provide a great starting point if you need to upgrade from 512-bit or 768-bit encryption:

  • Use a minimum 1024-bit DKIM key length to increase key complexity, as shorter keys, such as 512-bit, are inadequate.
  • Keys should be rotated quarterly to reduce the period of time the key could be used to compromise the integrity of email.
  • Signatures should have an expiration period greater than your current key rotation period.
  • The “t=y” declaration is for testing only.
  • To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” (a.k.a. “monitoring mode”) policy.
  •  Domain Keys is a deprecated protocol; use DKIM instead.
  • Organizations should be engaged with anyone sending mail on their behalf and ensure that their third party email service providers adhere to these same best practices.

Additionally, you’ll also want to decide if you are going to replace the DKIM keys and selector in place, or change over and start signing with new keys and selector. Starting to sign with new keys is probably the optimal decision. Replacing the keys in place will result in any messages that have already been signed, and are in the queue, to fail DKIM validation after you update your DNS record.

We have documentation on the DKIM module on our support site, and for any of our users, we recommend that you consult that material. If you have any questions, please contact our support team and we’ll be in touch.

Learn more about DMARC, the industry’s email authentication standard with our How DMARC Is Saving Email eBook.

How DMARC Is Saving Email

2 Comments

Related Content

Time for Financial Organizations to Get Serious about DMARC

Learn how Domain-based Message Authentication, Reporting & Conformance (DMARC) helps to protect financial services businesses.

read more

3 Mandatory Email Security Best Practices for the Financial Services Industry

Learn about email security best practices that are absolutely vital to protecting the credibility of financial services businesses.

read more

4 Marketing Strategies for Financial Institutions

Learn about 4 marketing strategies traditional financial institutions can apply to remain relevant in an industry that has been disrupted by technology.

read more

Get started and start sending

Try SparkPost and see how easy it is to deliver your app’s email on time and to the inbox.

Try Free

Send this to a friend