DKIM 512 bit cracked, Gmail Policy Changes, And The Implications for Email Senders

Share this post:

On Oct 24, published an article detailing how a clever mathematician got an email from a headhunter at Google, took it as a challenge, cracked the 512 bit DKIM key that Google sent the mail with, and wrote them back spoofing Gmail’s founders as the senders, setting off a chain reaction as the implications were examined.

As Google understood what had happened, they changed their own key to a more secure one, and rightly decided to change their policies about accepting incoming mail with weak DKIM keys. They announced that they would soon start failing keys that were weaker than 1024 bits. On Nov 9, Laura Atkins from Word to the Wise posted that Gmail was sending out warnings to postmasters that they would begin treating mail signed with a 512 bit key as unsigned within about a week.

What does this mean to you as a sender?

First, the good news:
Failing a DKIM check at Gmail or anywhere else does not mean your mail will bounce. It does not mean your mail will arbitrarily be placed in the spamfolder. It does not mean your domain’s chance of being hacked and spoofed have increased – those chances are the same as they ever were.

It does mean that Gmail will treat the mail the same as they would unsigned mail – with increased suspicion, which could have a negative impact on your IP’s reputation(s). It also means that your valuable domain is vulnerable to being spoofed in spam or used in a phishing attempt: The Wired article makes a point of noting that with modern computing power, a 512 bit key can be broken in 3 days. The US-CERT published a warning about this, saying “It is possible that an attacker could factor the encryption key for a domain that is using DKIM allowing them to sign emails originating from that domain. An attacker may be able to use a test signing key that is treated as trusted.”

What do you do?

  • Check your DKIM key’s length, and if it is less than 1024 bits, change it immediately, and make sure to delete the old key. Leaving it in means your domain remains vulnerable.
  • Make sure that you are not publishing your DKIM key in testing mode. A signer can indicate that a domain is testing DKIM by setting the DKIM Selector Flag (t=) flag to t=y.   If yours is set that way, most receivers will treat the mail as unsigned.
  • Rotate your keys regularly. We recommend this be done quarterly.
  • Implement DMARC if you haven’t already done it. It can be a valuable tool to keep your domain secure.

How can you tell if your key is too short, or if Gmail is failing it?

You can check your key using this tool. A 512 key will look like this: descriptive text “k=rsa\; p=AKDA3adkelLHaK653IuYD aVgIFc/FBvErvNOkCAwEAAQ==\;”

Kudos to the gentleman who started this ball rolling – Zachary Harris, mathematician. It’s a remarkable story, and I hope he got the job if he wanted it.

Add Comment
One Comment

Leave a Reply

Your email address will not be published.Required fields are marked *

[…] so do the attacks, that is life. One story to illustrate this is that it became apparent that DKIM keys of a 512 bit length were being cracked, then gmail changed their policies to cater for a longer key length […]

More Articles Stories

IDC: The Future of Supply Chain

What are the challenges and technologies shaping the future of supply chain? We’re living in what some call the age of disruption, where digital business and globalization are disrupting business models and industries and changing the way we live and conduct business. According to IDC, this will translate into 33 percent of all manufacturing companies […]

Continue reading

From Umbrellas to Query Based Volume Determination: My Life as an Inventor

Last night was a big night for me — I’m extremely honored to be inducted into the Women in Technology International (WITI) Hall of Fame where I will join fellow IBMers including Harriet Green and Marie Wieck. While I didn’t know it at the time, I started down this path a long time ago… as […]

Continue reading

Mothers (Like Everyone) Matter Every Day

Mother’s Day is a day to celebrate the beauty of motherhood. Conceived as a chance to spend quiet time with mom, it has become a commercial bonanza for greeting cards, flowers and chocolate. One would hope that when Mother’s Day ends, we realize we should honor our mothers every day. Similarly, a company should honor […]

Continue reading