dkim three things you might not know

The big ISPs like Gmail, Yahoo! Mail, and Hotmail are pushing senders to authenticate their email through a carrot/stick approach: Do it well, and you’ll achieve higher deliverability rates. Authenticate poorly, and your email will be downgraded, degrading your overall deliverability. Other symptoms might include warnings or a lack of graphics and identifying logos.

Microsoft & Google are beginning to show consumers if an email has been authenticated. Note that Google will insert logos for authenticated email and “?” for non-authenticated email. Similarly, Microsoft will redact logos and graphics and add red indicators if an email lacks proper authentication. Authenticate properly, and the email will display a green shield and render all logos and graphics.

Valimail Post

Given this environment, we wanted to write a quick post on one aspect of email authentication that still breeds confusion: DKIM (short for DomainKeys Identified Mail). DKIM is an open, DNS-based email authentication standard that uses public-key encryption to authenticate email messages. There are several issues that a sender should consider when implementing DKIM.

The Right Way to Implement DKIM

No Key Sharing. Each customer, brand, or entity sending unique mail streams should have their own, dedicated DKIM key. When a sender doesn’t mix and match DKIM keys between mail streams, a compromised DKIM key can only impact a single brand or stream.

Regular Key Rotation. As recommended by the specification, DKIM keys should be changed (or “rotated”) on a regular basis, about 3–4 times per year. Rotation ensures that if a key is compromised for any reason (for example, by a hacker who obtains the private key), then the compromised key can only be used for a limited time. Once the old key is rotated out and replaced with a new key, the compromised key is useless.

Distributed, Encrypted Key Storage. Compromised DKIM private keys are extremely valuable—attackers can use them to impersonate senders and fly under the radar virtually undetected. Senders need to avoid storing private keys in plaintext, avoid maintaining a centralized database of keys, and follow best practices for PKI security.

The Reality of How DKIM is Implemented

Widespread Key Sharing. Because DKIM is relatively complex and proper key management is burdensome, senders often use the same key across their brands, entities and mail streams. The simplified configuration of a shared key provides relative ease in terms of implementation but it creates a unique vulnerability: a single compromised key gives a bad actor total and complete access.

Little to No Key Rotation. Because key rotation typically requires a sender to manually update one or more DNS records—or even worse, have their partners and sending entities manually update one or more DNS records—key rotation is extremely rare in practice. DKIM keys are typically set once and never changed. It’s not uncommon to see DKIM keys that are 5–10 years old in production!

Centralized, Plain Text Key Storage. Finally, even if a sender tries to do DKIM correctly—provide one key per sending entity or mail stream, and rotate keys on a regular basis—the path of least resistance is to store the keys for all their sending domains in a central database in plaintext, to simplify key management and distribution to the mail servers. Unfortunately this sort of architecture is a beacon to criminals, and makes it exceedingly easy to steal all of the sender’s keys during a breach.

Given that numerous major brands and ESPs have reportedly been breached over the last couple of years, this approach must be considered highly risky.

What’s the Answer?

Senders should use a DKIM system that supports frequent and automated key rotation, defines unique DKIM keys per mail stream, and stores the DKIM private keys in a secure way. Email authentication must be treated as an on-going policy and practice and not like a check box—too much depends on it like your brand’s integrity.

Whether or not you are interested in authentication, feel free to drop us a line and we’d be happy to discuss it further. Here’s to automated and secure authentication!

-Alex Garcia-Tobar

About the Author

alex garcia tobar valimail dkimAlexander García-Tobar is a serial entrepreneur and currently CEO & Co-Founder of ValiMail, providing Email Authentication as a Service™ . Previously, Alexander held various executive and analyst positions at leading research companies such as The Boston Consulting Group and Forrester Research and at Silicon Valley startups such as ValiCert, Sygate, and SyncTV.




Dev Survival Guide Blog Footer

You wouldn’t hand over your house keys to a perfect stranger. Why not ensure the same level of scrutiny and security for your email systems?

We’ve covered a lot of topics on email security in the past few months. There’s an introduction to the various email authentication standards, an overview of DMARC, an overview of DKIM and best practices in upgrading DKIM keys.

This week’s post is on ensuring the continued security of your systems, by rotating your DKIM keys.


A number of ISPs have declared that they are not accepting keys that are 512-bit or less in 2013. However, these keys have not quite been banished. If you are a major brand charged with protecting the data of your customers, sticking to weak 512-bit keys is simply a high security risk that isn’t worth the possible damage to your brand reputation. It’s imperative to increase your key length to 1024-bit ASAP.

At Message Systems, we ensure that all of our clients are currently using the 1024-bit key. We have supported SPF & DomainKeys since 2004, SenderID & DKIM since 2005 and DMARC since 2012. While the 2048-bit key may be an option, major ISPs in the US are still not able to accept the keys at the moment.

DKIM and DomainKeys: What’s the difference?

Simply put, DKIM is an upgrade to DomainKeys to increase adoption by offering better flexibility and security. There’s a fairly detailed technical comparison on the website.

On DKIM Key Rotation

Aside from ensuring the minimum key length of 1024-bit, it’s equally important that businesses rotate their DKIM Keys every three months. Here’s a quick recap on DKIM keys.

An email authentication method, DKIM Keys verify that a message has not been modified in the transmission process. Domain owners generate a pair of keys: public and private which are used to sign emails on a domain basis. The public key exists as a TXT file in the domain’s DNS record. The private key is kept on the domain’s outgoing mail server.

When emails are sent, the outgoing server appends a digital signature using the private key. This digital signature is added to the Domain Keys-Signature header in the sent mail.

Upon receipt of the email, recipients can verify the signature of DKIM Keys using the public key in the domain’s DNS record. A matching signature means a successful validation.

Rotating DKIM Keys

It’s a best practice to rotate your DKIM Keys every three months. However, many businesses neglect this important step. One of the reasons is because rotating keys is no easy task.

As with all passwords, however, the longer they go unchanged, the higher the risk of it being compromised. Keys are rotated by creating a new {selector, private key, public key} set. If you need help creating DKIM Keys,  try using available CPAN command line tools.

Once the keys have been created, the public key will have to be published in the DNS record, and the outgoing mail server will have to be re-configured to use the new private key. The old key should be kept for a period of 7 days, after which it can be safely removed.

What’s next?

Now that DKIM best practices have been covered, it’s time to turn the spotlight on DMARC. Our own Alec Peterson, Message Systems CTO is part of an all-star cast that presented a webinar on best practices for DMARC. He was joined by Sam Masiello, Application Security at Groupon and Brandon Dingae, Director, Anti-Phishing at ReturnPath. Watch the webinar replay to learn best practices for helping your organization optimize your communications and messaging strategies in the new DMARC email environment.

Don't Deprioritize DMARC webinar