DKIM 512 bit cracked, Gmail Policy Changes, And The Implications for Email Senders

On Oct 24, published an article detailing how a clever mathematician got an email from a headhunter at Google, took it as a challenge, cracked the 512 bit DKIM key that Google sent the mail with, and wrote them back spoofing Gmail’s founders as the senders, setting off a chain reaction as the implications were examined.

As Google understood what had happened, they changed their own key to a more secure one, and rightly decided to change their policies about accepting incoming mail with weak DKIM keys. They announced that they would soon start failing keys that were weaker than 1024 bits. On Nov 9, Laura Atkins from Word to the Wise posted that Gmail was sending out warnings to postmasters that they would begin treating mail signed with a 512 bit key as unsigned within about a week.

What does this mean to you as a sender?

First, the good news:
Failing a DKIM check at Gmail or anywhere else does not mean your mail will bounce. It does not mean your mail will arbitrarily be placed in the spamfolder. It does not mean your domain’s chance of being hacked and spoofed have increased – those chances are the same as they ever were.

It does mean that Gmail will treat the mail the same as they would unsigned mail – with increased suspicion, which could have a negative impact on your IP’s reputation(s). It also means that your valuable domain is vulnerable to being spoofed in spam or used in a phishing attempt: The Wired article makes a point of noting that with modern computing power, a 512 bit key can be broken in 3 days. The US-CERT published a warning about this, saying “It is possible that an attacker could factor the encryption key for a domain that is using DKIM allowing them to sign emails originating from that domain. An attacker may be able to use a test signing key that is treated as trusted.”

What do you do?

  • Check your DKIM key’s length, and if it is less than 1024 bits, change it immediately, and make sure to delete the old key. Leaving it in means your domain remains vulnerable.
  • Make sure that you are not publishing your DKIM key in testing mode. A signer can indicate that a domain is testing DKIM by setting the DKIM Selector Flag (t=) flag to t=y.   If yours is set that way, most receivers will treat the mail as unsigned.
  • Rotate your keys regularly. We recommend this be done quarterly.
  • Implement DMARC if you haven’t already done it. It can be a valuable tool to keep your domain secure.

How can you tell if your key is too short, or if Gmail is failing it?

You can check your key using this tool. A 512 key will look like this: descriptive text “k=rsa\; p=AKDA3adkelLHaK653IuYD aVgIFc/FBvErvNOkCAwEAAQ==\;”

Kudos to the gentleman who started this ball rolling – Zachary Harris, mathematician. It’s a remarkable story, and I hope he got the job if he wanted it.

Share this post:

Share on LinkedIn

Add Comment
One Comment

Leave a Reply

Your email address will not be published.Required fields are marked *

[…] so do the attacks, that is life. One story to illustrate this is that it became apparent that DKIM keys of a 512 bit length were being cracked, then gmail changed their policies to cater for a longer key length […]

More Articles Stories

Specialty Retailer Ready for Holiday Season – Are You?

This is a guest post from Rod Martinez. Fall is in the air and now is the time that retailers are starting to gear up for the holiday season, hoping for big increases in e-commerce and store orders.  Unfortunately, with the order volume increases come order delays for many retailers because they are limited by their […]

Turbulence in the Market Demands Flexibility yet Tighter Control of an Organisation’s Contracts

Over the past few weeks, Emptoris has been working with The International Association for Contract & Commercial Management (IACCM) in a survey of its members to gain a picture of the pressures and concerns driving contracting within enterprises across different industries and geographies. Understanding these differences can help organisations negotiate and close contracts faster as […]

What’s a Store Anyway? The Rise of the Mobile Shopper

Around this time last year, Susan Etlinger, an analyst with Altimeter Group said something that stopped me in my tracks. In the context of discussing ecommerce, Susan asked, “what’s a store, anyway?” Not that long ago, it would have been clear that a store is where you go when you want to buy something. Obviously […]