DKIM Key Rotation: A Vital Security Measure

 

 

With the mandate that came into effect from February 2024, there is a heightened focus on the need to rotate DKIM keys regularly. This directive, issued by leading technology and email service providers, aims to further bolster email security. Regular DKIM key rotation is now recognised as a crucial practice for maintaining the integrity and security of email communications. It prevents potential exploits of outdated or compromised keys and ensures continuous effectiveness in email authentication processes.

This updated guideline is particularly pertinent for organisations managing substantial email traffic, as it plays a vital role in safeguarding against evolving email-based cyber threats. Adhering to this mandate not only enhances security measures but also sustains the trust and reliability of organisational email communication channels.

What is DKIM Key Rotation?

DKIM key rotation is the process of periodically changing DKIM keys. This action requires changing the entire DKIM key or a particular attribute of the DKIM key. This particular attribute is the ‘p = tag’, which signifies the public key. This public key is a combination of alphabets, numbers, and symbols which is recorded in DNS. Modifying the public key tag may also involve changing the key type.

DKIM stands for DomainKeys Identified Mail, whose primary purpose is to digitally sign the emails of a particular domain or email service provider.

How Does DKIM Key Rotation Prevent DKIM Vulnerability?

When a network administrator of an organisation keeps the DKIM key unchanged for a long time, a threat actor who gets illegal access to the database can steal it. There is an additional security practice, called storage encryption, that prevents data theft. But if the cybercriminal somehow gains access to the DKIM key, it is just a matter of time before the entire email domain server is compromised. This element is referred to as “vulnerability” in DKIM.

As a resolution measure, an organisation must rotate DKIM keys to ensure its domain is not vulnerable. Additionally, it ensures signatures are updated, enhancing email deliverability.

It is extremely important to rotate DKIM keys, as this is the first step in mitigating DNS-related risks. It incorporates best practices in cybersecurity awareness and implementation, primarily focused on enhancing email security and defending the domain servers against attacks.

Regular DKIM key rotation can reduce the risk of compromise of active public keys. The threat actors can get access to the keys during a data breach. Rotating DKIM keys will eradicate the possibility of stolen keys being used by cyber attackers.

There are multiple aspects and methods of rotating DKIM keys. So, there are primarily two aspects – automated and manual. The purpose of DKIM is to ensure that each email’s private key is properly paired with the domain’s public key. So, setting the DKIM key is the most important element, and it must be done carefully. Read more about how to configure DKIM using best practices to avoid any mistakes. 

Methods of Key Rotation

The process of key rotation involves assigning public keys to the DNS records of a particular domain. This public key is paired with a private key specific to the sender’s email address. This is commonly known as digitally signing the emails and the email service provider.

The simplest method of key rotation is manual, where a user changes the public key and then pastes it into the DNS. There are some disadvantages to this method, which are discussed in the next section.

CNAME

CNAME refers to a canonical name that is stored in the form of a record, where one domain is mapped to another. Sometimes an organisation’s administrator delegates a vendor to use CNAME. The CNAMEs are under the control of a particular vendor. It means that if domain owners need to revoke an authorisation, they simply remove the CNAME record.

The main disadvantage of using CNAME-based delegation is the possibility of allocating multiple DKIM keys, each based on a particular CNAME. The vendor is responsible for rotating DKIM keys via that CNAME. When configured, the vendor has the authority to rotate keys without even notifying the domain owner. This becomes disadvantageous and, in some cases, problematic for email domain owners.

Subdomain Delegation

Subdomain delegation is the simplest method for organisations to handle DKIM key rotation. In this method, an external vendor is hired to manage DKIM keys. The domain owners do not handle DKIM themselves; instead, they assign a dedicated subdomain that sends emails on behalf of the domain.

The vendor assigned by the domain owners also handles DKIM key rotation. The domain owner can regain control of the administration at any time, and the vendor will no longer be allowed to manage DKIM.

Manual Process of Rotation Should be Avoided

The process of manually generating a key requires a tool, and the key is then copied and pasted into the DNS. There is a possibility of mishandling or error. That is why the manual process is disregarded for setting DKIM or, specifically, key pairs.

Automatic DKIM Key Rotation

The email service provider can offer automatic DKIM key rotation, saving additional time troubleshooting and fixing errors. Some email marketing companies offer email security services. This is the recommended approach if your provider supports it.

DKIM Key Rotation Best Practices

The DKIM key rotation process is highly beneficial, but domain owners must follow certain practices to ensure it is carried out efficiently. Following these DKIM key rotation best practices will keep your domain protected and your email deliverability intact.

1. Length of Key: Use at least a 2048-bit public key. A shorter key is more vulnerable and no longer meets the current sender requirements from Google and Yahoo.
2. Expiration Time: Every DKIM signature must have an expiration time that is greater than the rotation time.
3. Rotation Frequency: DKIM keys should be rotated within a year, in general. Additionally, given the risks involved and the organisation’s feasibility, its frequency should increase. 
4. Test: For a shorter period, use the “t=y” tag pair to test emails with DKIM signatures. 
5. Monitoring: In addition to DKIM, DMARC policy should be implemented to verify whether emails are signed. For that, the DMARC policy should be set to “p=none”.
6. Keep the old key live for 48 hours: Emails already in transit still validate against the old key. Removing it too early causes authentication failures.

How Frequently Should You Rotate DKIM Keys?

The frequency of DKIM key rotation depends on the size of the business. Every business has its own risk level, which determines how it manages its network and domain security.

It is generally advised to rotate DKIM keys three to four times a year. A higher frequency is also an option. For financial and banking institutions, DKIM key rotation should be performed monthly.

The notion of frequency is also dependent on the complexities of the email programs or servers. Some financial institutions can also choose to decrease the frequency of DKIM key rotation due to the complexity of their domain servers.

Timeflow of Key Rotation

There are two formats of the public key: 1024-bit and 2048-bit. Initially, a domain is assigned a public key with at least 1024 bits. Then, a selector is used to identify the key, and two separate public-private key pairs are defined. The two public parts of the pairs (namely, Public Key1 and Public Key2) are updated in the DNS. 

After initially implementing DKIM, the emails are signed using private key 1. After a certain period (typically 3 or 4 months, depending on the organisation’s policy), key rotation occurs. First, another public key (Public Key3) is generated and stored in DNS. Then, all the emails are signed with private key 2. 

Similarly, generalising the above process to the nth key. Let’s say, at the time of key rotation, a key pair is generated of at least 1024 bits for the nth designation. A public key of Key(n) is stored at the DNS. At this point, all the emails are signed using a private key of (n-1)th designation. Then, the public key of the (n-3)th designation is discarded from the DNS, and the public-private key pair (n-2) will be valid for older emails. This rotation process repeats for every n = n + 1. 

For more clarification, consider the following image.

Proactive Practices to Ensure Email Security

DKIM is an essential email authentication protocol that works alongside SPF to enhance email domain security. DMARC is an authentication standard that helps implement policies to support both SPF and DKIM. Together, these three protocols form the foundation of a secure email domain.

Managing all three manually is time-consuming and error-prone. That is where TDMARC by Threatcop comes in. TDMARC is a dedicated tool that helps domain owners monitor SPF, DKIM, and DMARC configuration from a single dashboard. It flags misconfigurations before they affect deliverability and continuously verifies the validity of your DKIM records.

With TDMARC, you can also automate DKIM key rotation so keys are updated on schedule without manual intervention. No missed rotations, no copy-paste errors, no gaps in your email authentication coverage.

If you manage email at scale, TDMARC removes the guesswork from email security entirely.

FAQs