On Oct 24, Wired.com published an article detailing how a clever mathematician got an email from a headhunter at Google, took it as a challenge, cracked the 512 bit DKIM key that Google sent the mail with, and wrote them back spoofing Gmail’s founders as the senders, setting off a chain reaction as the implications were examined.
As Google understood what had happened, they changed their own key to a more secure one, and rightly decided to change their policies about accepting incoming mail with weak DKIM keys. They announced that they would soon start failing keys that were weaker than 1024 bits. On Nov 9, Laura Atkins from Word to the Wise posted that Gmail was sending out warnings to postmasters that they would begin treating mail signed with a 512 bit key as unsigned within about a week.
What does this mean to you as a sender?
First, the good news:
Failing a DKIM check at Gmail or anywhere else does not mean your mail will bounce. It does not mean your mail will arbitrarily be placed in the spamfolder. It does not mean your domain’s chance of being hacked and spoofed have increased – those chances are the same as they ever were.
It does mean that Gmail will treat the mail the same as they would unsigned mail – with increased suspicion, which could have a negative impact on your IP’s reputation(s). It also means that your valuable domain is vulnerable to being spoofed in spam or used in a phishing attempt: The Wired article makes a point of noting that with modern computing power, a 512 bit key can be broken in 3 days. The US-CERT published a warning about this, saying “It is possible that an attacker could factor the encryption key for a domain that is using DKIM allowing them to sign emails originating from that domain. An attacker may be able to use a test signing key that is treated as trusted.”
What do you do?
Check your DKIM key’s length, and if it is less than 1024 bits, change it immediately, and make sure to delete the old key. Leaving it in means your domain remains vulnerable.
Make sure that you are not publishing your DKIM key in testing mode. A signer can indicate that a domain is testing DKIM by setting the DKIM Selector Flag (t=) flag to t=y. If yours is set that way, most receivers will treat the mail as unsigned.
Rotate your keys regularly. We recommend this be done quarterly.
[…] so do the attacks, that is life. One story to illustrate this is that it became apparent that DKIM keys of a 512 bit length were being cracked, then gmail changed their policies to cater for a longer key length […]
What are the challenges and technologies shaping the future of supply chain? We’re living in what some call the age of disruption, where digital business and globalization are disrupting business models and industries and changing the way we live and conduct business. According to IDC, this will translate into 33 percent of all manufacturing companies […]
Last night was a big night for me — I’m extremely honored to be inducted into the Women in Technology International (WITI) Hall of Fame where I will join fellow IBMers including Harriet Green and Marie Wieck. While I didn’t know it at the time, I started down this path a long time ago… as […]
Mother’s Day is a day to celebrate the beauty of motherhood. Conceived as a chance to spend quiet time with mom, it has become a commercial bonanza for greeting cards, flowers and chocolate. One would hope that when Mother’s Day ends, we realize we should honor our mothers every day. Similarly, a company should honor […]