The Importance of Rotating Your DKIM Keys

Kate Nowrouzi
Apr. 2, 2013 by Kate Nowrouzi

You wouldn’t hand over your house keys to a perfect stranger. Why not ensure the same level of scrutiny and security for your email systems?

We’ve covered a lot of topics on email security in the past few months. There’s an introduction to the various email authentication standards, an overview of DMARC, an overview of DKIM and best practices in upgrading DKIM keys.

This week’s post is on ensuring the continued security of your systems, by rotating your DKIM keys.

On DKIM

A number of ISPs have declared that they are not accepting keys that are 512-bit or less in 2013. However, these keys have not quite been banished. If you are a major brand charged with protecting the data of your customers, sticking to weak 512-bit keys is simply a high security risk that isn’t worth the possible damage to your brand reputation. It’s imperative to increase your key length to 1024-bit ASAP.

At Message Systems, we ensure that all of our clients are currently using the 1024-bit key. We have supported SPF & DomainKeys since 2004, SenderID & DKIM since 2005 and DMARC since 2012. While the 2048-bit key may be an option, major ISPs in the US are still not able to accept the keys at the moment.

DKIM and DomainKeys: What’s the difference?

Simply put, DKIM is an upgrade to DomainKeys to increase adoption by offering better flexibility and security. There’s a fairly detailed technical comparison on the DKIM.org website.

On DKIM Key Rotation

Aside from ensuring the minimum key length of 1024-bit, it’s equally important that businesses rotate their DKIM Keys every three months. Here’s a quick recap on DKIM keys.

An email authentication method, DKIM Keys verify that a message has not been modified in the transmission process. Domain owners generate a pair of keys: public and private which are used to sign emails on a domain basis. The public key exists as a TXT file in the domain’s DNS record. The private key is kept on the domain’s outgoing mail server.

When emails are sent, the outgoing server appends a digital signature using the private key. This digital signature is added to the Domain Keys-Signature header in the sent mail.

Upon receipt of the email, recipients can verify the signature of DKIM Keys using the public key in the domain’s DNS record. A matching signature means a successful validation.

Rotating DKIM Keys

It’s a best practice to rotate your DKIM Keys every three months. However, many businesses neglect this important step. One of the reasons is because rotating keys is no easy task.

As with all passwords, however, the longer they go unchanged, the higher the risk of it being compromised. Keys are rotated by creating a new {selector, private key, public key} set. If you need help creating DKIM Keys,  try using available CPAN command line tools.

Once the keys have been created, the public key will have to be published in the DNS record, and the outgoing mail server will have to be re-configured to use the new private key. The old key should be kept for a period of 7 days, after which it can be safely removed.

What’s next?

Now that DKIM best practices have been covered, it’s time to turn the spotlight on DMARC. Our own Alec Peterson, Message Systems CTO is part of an all-star cast that presented a webinar on best practices for DMARC. He was joined by Sam Masiello, Application Security at Groupon and Brandon Dingae, Director, Anti-Phishing at ReturnPath. Watch the webinar replay to learn best practices for helping your organization optimize your communications and messaging strategies in the new DMARC email environment.

Don't Deprioritize DMARC webinar

3 Comments

  • Out of curiousity, is there a list of which speicific ISPs still do not accept 2048 bit keys? Is this based on actual data that was current at the time of writing this article, stale data, or just plain speculation? I’m not trying to be rude – I would like to push for using 2048 bit keys for our environment, but it is very large & if there are going to be any issues then we would need specific details instead of guesses & generalities. Noting that Gmail is now 2048 leads me to believe that there should be very few ISPs and other email hosts that are still not capable of validating a 2048 bit key, even if they choose to not utilize them themselves.

    Also, what would a recommended timeframe be for rotating 2048 bit keys? Do you adjust your recommendation if the private key is protected by a FIPS 140-2 level 1,2,3 crypto module or not?

    Thanks!

  • I think the “not accepted by some ISPs” assertion is idle speculation. I’ve been using 2048 bit DKIM keys for 18 months now and haven’t seen *any* evidence of DKIM failures. I have DMARC records published and if anyone that does DMARC reporting was failing my DKIM signatures, I’d know about it.

  • Matt,

    Thanks for your comment – I setup 1024 bit keys about a year ago now based on the advice of this article. I’ve since been annoyed by my quarterly reminder to rotate them and have wondered when I might migrate to 2048. I think I’m going to take the plunge…

    Dustin

Related Content

5 Best Practices for Security Notifications

Learn the 5 best practices for security notification emails that product teams can use to build user trust and confidence.

read more

What GoT’s Casterly Rock Can Tell SaaS About Email Security

The defenses and vulnerabilities of castles in Game of Thrones should be a warning for SaaS providers about phishing and email security.

read more

Getting Started with SparkPost in Java

A quick and easy guide on how to use the SparkPost Java Client Library to integrate with SparkPost to allow users to send emails faster.

read more

Start sending email in minutes!

The world’s most powerful email delivery solution is now yours in a developer-friendly, quick to set up cloud service. Open a SparkPost account today and get started for free.

Get Started

Send this to a friend