PowerDMARC

DKIM Key Rotation Explained

DKIM Key Rotation Explained

DKIM Key Rotation Explained

DKIM key rotation is the process of updating your DKIM keys. You should rotate your keys periodically—the exact period isn’t important, but the process itself is. Why should you do it? Rotating keys refers to creating new keys and updating DNS records with those new keys. The purpose of rotating your DKIM keys is similar to why you might change your passwords periodically: it’s a security measure that helps prevent attackers from impersonating your domain and sending spam or phishing emails.

Let’s take a look at why you use DKIM keys in the first place.

Why do you use DKIM keys?

DKIM stands for DomainKeys Identified Mail. It’s a way to add an additional layer of security to your email server so that your emails don’t get flagged as spam and end up in spam folders. The best way to think about DKIM is as an encrypted identifier attached to your messages so that recipients can verify that the message was actually sent by you, the person it’s claiming to come from. This identifier, or key, is what allows them to verify that.

How does DKIM work?

DKIM works by adding this identifier to each email that’s being sent out. When someone receives one of these emails, they can check the header or footer of the message and find a string of numbers and letters, which is the encrypted identifier or DKIM key. Before an email is sent to its recipient, the sender’s email server signs every email with a digital signature, which is then validated by the receiving email server. This process proves that the email has not been tampered with or altered in any way. 

When you send your email, the signature is attached as a header at the end of the message. Recipient servers use public keys (provided by domain owners through DNS records) to decrypt and verify these signatures.

Why is DKIM key rotation important for your domain’s security?

DKIM key rotation is when you start using a new private/public key pair to sign and authenticate your message—and then stop using the old private/public key pair.

Why is this important? Well, if somebody were able to get access to your private key, they could actually use it to send fraudulent emails that appear to be from you! To prevent this kind of malicious activity, it’s best practice to rotate your keys every few months.

To understand the importance of DKIM key rotation better, let’s take a look at this example: 

Let’s say you send out an email campaign for a holiday sale at your store. You use your DKIM keys to sign your emails, but if you send out enough emails using the same key pair over time, bad actors may eventually intercept and decode one of them, since each message uses the same cryptographic hash algorithm. Once they’ve got your public key, they can start signing their phishing emails with it without you even knowing! That’s why periodic DKIM key rotation is crucial to the security of your domain.

How can you rotate your DKIM keys?

1. Manual DKIM key rotation

You can manually rotate your DKIM keys from time to time by creating new keys for your domain. To do so follow these steps: 

2. Subdomain DKIM key delegation

Domain owners can outsource DKIM key rotation by allowing a third party to handle it for them. This is when the owner of the domain delegates a dedicated subdomain to an email vendor and asks them to generate a DKIM key pair on their behalf. This allows owners to evade the hassle of DKIM key rotation by outsourcing the responsibility to a third party. 

This however can cause policy override problems with DMARC entries. It is recommended that rotated keys are monitored and reviewed by domain controllers to ensure smooth and error-free deployment. 

3. DKIM CNAME key delegation

CNAME stands for canonical name, and are DNS records that are used to point to data of an external domain. CNAME delegation allows domain owners to point to DKIM record information that is maintained by any external third party. This is similar to subdomain delegation since the domain owner is only required to publish a few CNAME records on their DNS, while the DKIM infrastructure and DKIM key rotation are then handled by the third party that the record points to. 

For example, 

“domain.com” is the domain from which originating emails are to be signed, and “third-party.com” is the vendor who will handle the signing process. 

s1._domainkey.domain.com CNAME s1.domain.com.third-party.com

The above-mentioned CNAME record needs to be published in the DNS of the domain owner. 

Now, s1.domain.com.third-party.com already has a DKIM record published on its DNS which can be: s1.domain.com.third-party.com TXT “v=DKIM1; p=MIG89hdg599….”

This information will be used to sign emails originating from domain.com. 

Note: You need to publish multiple DKIM records (recommended: at least 3 CNAME records) with different selectors on your DNS to enable DKIM key rotation. This will allow your vendor to switch between keys while signing and provide them with alternative options.

4. Automatic DKIM key rotation

Most email vendors and third-party email service providers enable automatic DKIM key rotation for customers. For example, if you are using Office 365 for routing your emails, you will be happy to know that Microsoft supports automatic DKIM key rotation for their Office 365 users. 

We have covered a full document on how to enable DKIM key rotation for your Office 365 emails on our knowledge base

Benefits of Automatically rotating your DKIM keys

Deploying a DKIM key rotation strategy

We call it the “3 Ds of DKIM key rotation”: 

This sums up an effective DKIM key rotation strategy for your domains. When you are availing of any third-party service for your emails and your vendor is handling rotation for you, make sure you have an open and transparent discussion as to when and how frequently you want to rotate your keys. You should have a say regarding timelines as well as the size you want to use for your selector key (whether you want to use 1024 bits or 2048 bits for more security). 

Once the discussion phase passes, you and your vendor must mutually decide on what your strategy is and finally proceed to deploy the same.

Exit mobile version