DKIM 512 bit cracked, Gmail Policy Changes, And The Implications for Email Senders

On Oct 24, published an article detailing how a clever mathematician got an email from a headhunter at Google, took it as a challenge, cracked the 512 bit DKIM key that Google sent the mail with, and wrote them back spoofing Gmail’s founders as the senders, setting off a chain reaction as the implications were examined.

As Google understood what had happened, they changed their own key to a more secure one, and rightly decided to change their policies about accepting incoming mail with weak DKIM keys. They announced that they would soon start failing keys that were weaker than 1024 bits. On Nov 9, Laura Atkins from Word to the Wise posted that Gmail was sending out warnings to postmasters that they would begin treating mail signed with a 512 bit key as unsigned within about a week.

What does this mean to you as a sender?

First, the good news:
Failing a DKIM check at Gmail or anywhere else does not mean your mail will bounce. It does not mean your mail will arbitrarily be placed in the spamfolder. It does not mean your domain’s chance of being hacked and spoofed have increased – those chances are the same as they ever were.

It does mean that Gmail will treat the mail the same as they would unsigned mail – with increased suspicion, which could have a negative impact on your IP’s reputation(s). It also means that your valuable domain is vulnerable to being spoofed in spam or used in a phishing attempt: The Wired article makes a point of noting that with modern computing power, a 512 bit key can be broken in 3 days. The US-CERT published a warning about this, saying “It is possible that an attacker could factor the encryption key for a domain that is using DKIM allowing them to sign emails originating from that domain. An attacker may be able to use a test signing key that is treated as trusted.”

What do you do?

  • Check your DKIM key’s length, and if it is less than 1024 bits, change it immediately, and make sure to delete the old key. Leaving it in means your domain remains vulnerable.
  • Make sure that you are not publishing your DKIM key in testing mode. A signer can indicate that a domain is testing DKIM by setting the DKIM Selector Flag (t=) flag to t=y.   If yours is set that way, most receivers will treat the mail as unsigned.
  • Rotate your keys regularly. We recommend this be done quarterly.
  • Implement DMARC if you haven’t already done it. It can be a valuable tool to keep your domain secure.

How can you tell if your key is too short, or if Gmail is failing it?

You can check your key using this tool. A 512 key will look like this: descriptive text “k=rsa\; p=AKDA3adkelLHaK653IuYD aVgIFc/FBvErvNOkCAwEAAQ==\;”

Kudos to the gentleman who started this ball rolling – Zachary Harris, mathematician. It’s a remarkable story, and I hope he got the job if he wanted it.

[…] so do the attacks, that is life. One story to illustrate this is that it became apparent that DKIM keys of a 512 bit length were being cracked, then gmail changed their policies to cater for a longer key length […]

Comments are closed.

More Articles Stories

From A Smarter Planet: The Year of the Social Media Olympics

With the 2012 Summer Olympics around the corner, it seems that lots of people are talking about using Twitter and Facebook to keep track of their favorite athletes. And why not? Social Media is often the fastest, easiest, and most engaging way to stay on top of things that matter to you. But how are […]

Put aside department differences for better database marketing

Knowing how to leverage the enormous amount of data generated by our modern-day marketing ecosystem is a difficult but necessary task. We have a plethora of new behavioral data points and metrics that need to be considered. Here’s just a few things introduced this past decade:  smartphones, social networks, location-based technology and quick response (QR) […]

What Retailers Can Learn from Holiday Shopping Trends

It’s January and the beginning of a bright, shiny new year. I like to start the new year thinking about what happened over the last year—those things that stayed with me and that are likely to continue to affect my life in some way. Like most people, when I heard that Steve Jobs had passed […]