Best practices for the DKIM vulnerability
The Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) has published seven recommended best practices for addressing a vulnerability in DKIM digital signatures for emails. With DomainKeys Identified Mail (DKIM), companies and organisations can include a digital signature to confirm that an email is actually from their domain.
In late October, however, mathematician Zachary Harris found that a number of major web sites were using keys that were too short for these signatures, making it easy to imitate addresses from Google, PayPal, Yahoo, Amazon, eBay and many others. When checking a supposed job offer from Google, Harris noticed that the company's signature was easy to fake. He let Google know about the problem by sending an email to the company's CEO, Larry Page, that looked like it came from co-founder Sergey Brin.
The first recommendation from the M³AAWG is to use a key length of at least 1024-bits, since a 512-bit key can be cracked in just 72 hours using online cloud services such as Amazon Web Services (AWS). The authors of the best practices guide also recommend rotating DKIM keys every quarter and assigning expiration periods that are longer than the rotation period. Old keys should be revoked in DNS as needed.
In addition, providers of mail services with DKIM signatures should refrain from using testing mode (t=y). Currently, many mail providers ignore the DKIM signature if it comes from a mail server running in test mode. Operating in test mode only makes sense during the actual initial DKIM ramp-up, the authors say. To monitor how receivers accept DKIM-signed messages, Domain-based Message Authentication, Reporting and Conformance (DMARC) should be used with monitoring activated.
The sixth recommendation emphasises that DKIM is the best choice for ensuring email senders' authenticity, since the alternative, Domain Keys, is a deprecated protocol and should no longer be used. The authors use the last guideline to point out that companies and organisations should see to the authenticity of their emails – even if other third-party mailers operate their servers – by ensuring that their email service providers also adhere to these best practice guidelines.