Keeping your email protection strong

SendGrid recently reached out to their customers about the potential exposure of customer data specifically involving their customers’ private DKIM keys. As part of their response to safeguard customer data, they proactively rotated the DKIM keys on behalf of their customers where possible and recommended that other customers do so on their own accord.

We thought this would be a good opportunity to talk about DKIM key rotation, ways of executing it, and benefits of automating the process.

Importance of DKIM Key Rotation

DKIM keys are digital signatures that ensure an email hasn’t been tampered with during routing among servers; you can read more details about the role they play in our DKIM overview.

Since DKIM keys are publicly published, they can be a target for attack. Like all methods of encryption, given enough time and computer processing power, they can be defeated by a malicious actor. The regular replacement of older keys with newer keys (referred to as “key rotation”) is an effective way to defend against this because it minimizes the period during which attackers may be able to compromise a private key, as well as the time for which a compromised key will be valid.

The frequency at which DKIM keys should be rotated is related to the length of the key itself. For example, 1024-bit length keys should be rotated more frequently than 2048-bit length keys as 1024-bit keys require less total computing power to be defeated. (2048-bit keys are currently viewed as the strongest practical key length). The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) published guidance in their DKIM Key Rotation Best Common Practices where they recommend keys should be rotated every six months.

The Work of Rotating DKIM Keys

In order to rotate DKIM keys, a specific series of actions must occur:

  1. A new DKIM key must be created. This results in a private/public key pair that are referred to as a “DKIM key.”
  2. The private portion of the DKIM key must be installed into the software that is creating DKIM signatures, usually an email server that is sending email.
  3. The public portion of the DKIM key must be published in the DNS of the domain for which signatures are created.
  4. Once the public portion is published, the email server that is sending email can start using its installed private key to create DKIM signatures using the new DKIM key.

There are different ways to implement the above actions. For example, if a DKIM key is created by a vendor that has been hired to send email on behalf of your internet domain, then the vendor must request you to place the public portion of the DKIM key into your domain’s DNS. Going the other way, if you create a DKIM key, then you must supply the vendor with the private portion of the DKIM key so that the vendor can configure their email software to create DKIM signatures.

Several methods have emerged to minimize the potential back-and-forth required when DKIM keys need to be created and rotated. These different methods use capabilities of the DNS to place the technology burden of DKIM key rotation close to the technical operators that are responsible for DKIM signatures.

Methods of Rotating DKIM Keys

Subdomain Delegation
Subdomain Delegation is the easiest method of key rotation for most domain owners. Instead of managing DKIM infrastructure, the domain owner assigns (or delegates control to) a dedicated subdomain to the vendor responsible for sending email on behalf of the domain owner. In this way, the domain owner leaves all of the mechanics of DKIM management—including key rotation—to the vendor. The domain owner always has the ability to take back the delegated subdomain in the case where the vendor is no longer allowed to send on behalf of the domain owner.

CNAME
CNAME-based delegation is when a domain owner uses CNAMEs to point to DKIM data that is maintained by a vendor. In this way, the domain owner can authorize a vendor to create DKIM signatures, and the vendor is responsible for the mechanics of DKIM signing. If the domain owner needs to remove authorization, then they can remove CNAMEs, which effectively severs the connection between the vendor and the domain owner.

The disadvantage of using CNAMEs is that multiple CNAME-based DKIM keys must be configured before a vendor can rotate among them. Once configured, though, the vendor can rotate keys without needing to contact or synchronize with the domain owner.

Manually
DKIM keys can be rotated by manually creating a new DKIM key, configuring an email server with the private portion of the DKIM key, and then publishing the public portion of the DKIM key in the domain owner’s DNS. Synchronizing between email servers, DKIM keys, and DNS entries can involve a lot of coordination between teams and systems, making manual configuration the method of last resort.

Benefits of Automatic DKIM Key Rotation

Manually rotating your DKIM keys involves using a tool to generate the new keys, then copying and pasting big strings into domain management software, which is an opportunity for errors to occur. This method of DKIM key rotation is not ideal, as the coordination involved tends to be difficult, especially if DKIM keys need to be urgently rotated due to a security incident.

Automatic key rotation by your email vendor prevents the additional time spent tracking down, troubleshooting, and coordinating fixes for these kinds of errors. As the example with SendGrid illustrates, SendGrid was able to quickly address a potential compromise through immediate DKIM key rotation as SendGrid customers had previously enabled SendGrid to manage DKIM keys—customers did not have to make changes on their side. Had SendGrid not invested in this capability, SendGrid and its customers would have been faced with making changes in a security-sensitive context, perhaps after hours or over a holiday. If manually rotating the keys is a responsibility that resides in a single role, that can further extend the response time and require readdressing if there is turnover for that position.

We’re here to help people understand and deploy DMARC, so get in touch with us if you have any questions about DKIM key rotation.

Want to continue the conversation? Head over to the dmarcian Forum