Best Practices for DKIM Hole

Friday, November 9, 2012 @ 05:11 PM gHale


We know some major web sites were using DomainKeys Identified Mail (DKIM) keys that were too short, and that presented a big vulnerability problem.

There are now seven recommended best practices for addressing the vulnerability in DKIM digital signatures for emails put out by the Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG).

RELATED STORIES
Email Signature Holes Fixed
Weak Crypto Keys Fixed
Windows Help Files an Attack Vector
Apple ID Phishing Scam

DKIMs allow companies and organizations to include a digital signature to confirm that an email is actually from their domain.

This past October, though, the idea of a secure DKIM came to a halt when mathematician Zachary Harris found a number of major web sites were using keys that were too short for these signatures, making it easy to imitate addresses from Google, PayPal, Yahoo, Amazon, eBay and many others.

When checking a supposed job offer from Google, Harris noticed the company’s signature was easy to fake. He let Google know about the problem by sending an email to the company’s Chief Executive, Larry Page, that looked like it came from co-founder Sergey Brin.

The first recommendation from the M³AAWG is to use a key length of at least 1024-bits, since an attacker can crack a 512-bit key in just 72 hours using online cloud services such as Amazon Web Services (AWS). The authors of the best practices guide also recommend rotating DKIM keys every quarter and assigning expiration periods longer than the rotation period. Old keys should end up revoked in DNS as needed.

In addition, providers of mail services with DKIM signatures should refrain from using testing mode (t=y). Currently, many mail providers ignore the DKIM signature if it comes from a mail server running in test mode. Operating in test mode only makes sense during the actual initial DKIM ramp-up, the authors say. To monitor how receivers accept DKIM-signed messages, Domain-based Message Authentication, Reporting and Conformance (DMARC) should work with monitoring activated.

The sixth recommendation emphasizes DKIM is the best choice for ensuring email senders’ authenticity.

The authors use the last guideline to point out companies and organizations should see to the authenticity of their emails – even if other third-party mailers operate their servers – by ensuring their email service providers also adhere to these best practice guidelines.



Leave a Reply

You must be logged in to post a comment.