You wouldn’t hand over your house keys to a perfect stranger. Why not ensure the same level of scrutiny and security for your email systems?

We’ve covered a lot of topics on email security in the past few months. There’s an introduction to the various email authentication standards, an overview of DMARC, an overview of DKIM and best practices in upgrading DKIM keys.

This week’s post is on ensuring the continued security of your systems, by rotating your DKIM keys.


A number of ISPs have declared that they are not accepting keys that are 512-bit or less in 2013. However, these keys have not quite been banished. If you are a major brand charged with protecting the data of your customers, sticking to weak 512-bit keys is simply a high security risk that isn’t worth the possible damage to your brand reputation. It’s imperative to increase your key length to 1024-bit ASAP.

At Message Systems, we ensure that all of our clients are currently using the 1024-bit key. We have supported SPF & DomainKeys since 2004, SenderID & DKIM since 2005 and DMARC since 2012. While the 2048-bit key may be an option, major ISPs in the US are still not able to accept the keys at the moment.

DKIM and DomainKeys: What’s the difference?

Simply put, DKIM is an upgrade to DomainKeys to increase adoption by offering better flexibility and security. There’s a fairly detailed technical comparison on the website.

On DKIM Key Rotation

Aside from ensuring the minimum key length of 1024-bit, it’s equally important that businesses rotate their DKIM Keys every three months. Here’s a quick recap on DKIM keys.

An email authentication method, DKIM Keys verify that a message has not been modified in the transmission process. Domain owners generate a pair of keys: public and private which are used to sign emails on a domain basis. The public key exists as a TXT file in the domain’s DNS record. The private key is kept on the domain’s outgoing mail server.

When emails are sent, the outgoing server appends a digital signature using the private key. This digital signature is added to the Domain Keys-Signature header in the sent mail.

Upon receipt of the email, recipients can verify the signature of DKIM Keys using the public key in the domain’s DNS record. A matching signature means a successful validation.

Rotating DKIM Keys

It’s a best practice to rotate your DKIM Keys every three months. However, many businesses neglect this important step. One of the reasons is because rotating keys is no easy task.

As with all passwords, however, the longer they go unchanged, the higher the risk of it being compromised. Keys are rotated by creating a new {selector, private key, public key} set. If you need help creating DKIM Keys,  try using available CPAN command line tools.

Once the keys have been created, the public key will have to be published in the DNS record, and the outgoing mail server will have to be re-configured to use the new private key. The old key should be kept for a period of 7 days, after which it can be safely removed.

What’s next?

Now that DKIM best practices have been covered, it’s time to turn the spotlight on DMARC. Our own Alec Peterson, Message Systems CTO is part of an all-star cast that presented a webinar on best practices for DMARC. He was joined by Sam Masiello, Application Security at Groupon and Brandon Dingae, Director, Anti-Phishing at ReturnPath. Watch the webinar replay to learn best practices for helping your organization optimize your communications and messaging strategies in the new DMARC email environment.

Don't Deprioritize DMARC webinar