The Importance of Rotating Your DKIM Keys

Kate Nowrouzi
Apr. 2, 2013 by Kate Nowrouzi

You wouldn’t hand over your house keys to a perfect stranger. Why not ensure the same level of scrutiny and security for your email systems?

We’ve covered a lot of topics on email security in the past few months. There’s an introduction to the various email authentication standards, an overview of DMARC, an overview of DKIM and best practices in upgrading DKIM keys.

This week’s post is on ensuring the continued security of your systems, by rotating your DKIM keys.

On DKIM

A number of ISPs have declared that they are not accepting keys that are 512-bit or less in 2013. However, these keys have not quite been banished. If you are a major brand charged with protecting the data of your customers, sticking to weak 512-bit keys is simply a high security risk that isn’t worth the possible damage to your brand reputation. It’s imperative to increase your key length to 1024-bit ASAP.

At Message Systems, we ensure that all of our clients are currently using the 1024-bit key. We have supported SPF & DomainKeys since 2004, SenderID & DKIM since 2005 and DMARC since 2012. While the 2048-bit key may be an option, major ISPs in the US are still not able to accept the keys at the moment.

DKIM and DomainKeys: What’s the difference?

Simply put, DKIM is an upgrade to DomainKeys to increase adoption by offering better flexibility and security. There’s a fairly detailed technical comparison on the DKIM.org website.

On DKIM Key Rotation

Aside from ensuring the minimum key length of 1024-bit, it’s equally important that businesses rotate their DKIM Keys every three months. Here’s a quick recap on DKIM keys.

An email authentication method, DKIM Keys verify that a message has not been modified in the transmission process. Domain owners generate a pair of keys: public and private which are used to sign emails on a domain basis. The public key exists as a TXT file in the domain’s DNS record. The private key is kept on the domain’s outgoing mail server.

When emails are sent, the outgoing server appends a digital signature using the private key. This digital signature is added to the Domain Keys-Signature header in the sent mail.

Upon receipt of the email, recipients can verify the signature of DKIM Keys using the public key in the domain’s DNS record. A matching signature means a successful validation.

Rotating DKIM Keys

It’s a best practice to rotate your DKIM Keys every three months. However, many businesses neglect this important step. One of the reasons is because rotating keys is no easy task.

As with all passwords, however, the longer they go unchanged, the higher the risk of it being compromised. Keys are rotated by creating a new {selector, private key, public key} set. If you need help creating DKIM Keys,  try using available CPAN command line tools.

Once the keys have been created, the public key will have to be published in the DNS record, and the outgoing mail server will have to be re-configured to use the new private key. The old key should be kept for a period of 7 days, after which it can be safely removed.

What’s next?

Now that DKIM best practices have been covered, it’s time to turn the spotlight on DMARC. Our own Alec Peterson, Message Systems CTO is part of an all-star cast that presented a webinar on best practices for DMARC. He was joined by Sam Masiello, Application Security at Groupon and Brandon Dingae, Director, Anti-Phishing at ReturnPath. Watch the webinar replay to learn best practices for helping your organization optimize your communications and messaging strategies in the new DMARC email environment.

Don't Deprioritize DMARC webinar

3 Comments

  • Out of curiousity, is there a list of which speicific ISPs still do not accept 2048 bit keys? Is this based on actual data that was current at the time of writing this article, stale data, or just plain speculation? I’m not trying to be rude – I would like to push for using 2048 bit keys for our environment, but it is very large & if there are going to be any issues then we would need specific details instead of guesses & generalities. Noting that Gmail is now 2048 leads me to believe that there should be very few ISPs and other email hosts that are still not capable of validating a 2048 bit key, even if they choose to not utilize them themselves.

    Also, what would a recommended timeframe be for rotating 2048 bit keys? Do you adjust your recommendation if the private key is protected by a FIPS 140-2 level 1,2,3 crypto module or not?

    Thanks!

    Reply
  • I think the “not accepted by some ISPs” assertion is idle speculation. I’ve been using 2048 bit DKIM keys for 18 months now and haven’t seen *any* evidence of DKIM failures. I have DMARC records published and if anyone that does DMARC reporting was failing my DKIM signatures, I’d know about it.

    Reply
  • Matt,

    Thanks for your comment – I setup 1024 bit keys about a year ago now based on the advice of this article. I’ve since been annoyed by my quarterly reminder to rotate them and have wondered when I might migrate to 2048. I think I’m going to take the plunge…

    Dustin

    Reply

Share your Thoughts

Your email address will not be published.

Related Content

Are you Realizing the Big Rewards of Email Deliverability?

We did the math, learn how email deliverability is calculated, how it impacts your bottom line, and how to improve it for better engagement rates and ROI.

read more

Why Attestations Are Just One Part of Your Cloud Security Program

Attestations are a necessity for any cloud security program. Here’s why you need to look beyond just checking the boxes to ensure your perimeter is secure.

read more

Operating DNS on the AWS Network: Challenges and Lessons

Learn how our team worked with AWS to address a challenging DNS performance issue—and tips for troubleshooting with the AWS support team.

read more

Start sending email in minutes!

The world’s most powerful email delivery solution is now yours in a developer-friendly, quick to set up cloud service. Open a SparkPost account today!

Get Started

Send this to a friend