Why should you automate DKIM key Rotation?
DomainKeys Identified Mail (DKIM) is an anti-tampering technology that protects the security of your email while it is in transit. DKIM checks the email’s digital signature to see if it was sent from the domain it claims to originate from.
DKIM validates your communications in two steps. The first operation occurs on a server that sends DKIM-signed emails, whereas the second occurs on a receiver server that validates DKIM signatures on incoming messages. A private and public key is required to complete the procedure. The user’s private key is kept hidden and secure, either on their own server or with their ESP. The public key, on the other hand, is added to the DNS records of the user’s domain to aid in the verification of email communications.
DKIM KEY
DKIM keys are digital signatures that verify that an email remains unaltered while it is being sent between servers. DKIM keys might be a target for assault because they are publicly available. A malevolent actor can break all encryption schemes when given enough time and computer processing power.
The frequent replacement of older keys with newer keys (known as “key rotation”) is a good approach to guard against this since it reduces the time for which attackers may be able to compromise a private key, as well as the duration for which a compromised key will be valid. The frequency at which DKIM keys should be rotated is proportional to the key’s length. For example, as 1024-bit keys need less overall computer effort to beat, they should be rotated more frequently than 2048-bit keys, which are presently thought to be the most secure feasible key length.
Steps to Rotate DKIM Keys
-
It is necessary to generate a fresh DKIM key. As a consequence, a ‘DKIM key’ is created, which is a private/public key pair.
-
The DKIM key’s private component must be installed in the software that creates DKIM signatures, which is commonly an email server that sends email.
-
The DKIM key’s public component must be published in the DNS of the domain for which signatures are being produced.
-
Once the public section is released, the email server that is sending an email may begin creating DKIM signatures with the new DKIM key using its installed private key.
When DKIM keys need to be produced and rotated, many approaches have evolved to reduce the amount of back-and-forth. These various solutions take advantage of DNS capabilities to shift the technology load of DKIM key rotation closer to the technical operators in charge of DKIM signatures.
The approaches are:
Subdomain Delegation
For most domain owners, subdomain delegation is the simplest way of key rotation. Instead of maintaining DKIM infrastructure, the domain owner provides a dedicated subdomain (or delegated ownership) to the vendor that sends emails on the domain owner’s behalf. In this approach, the domain owner delegated all aspects of DKIM maintenance to the vendor, including key rotation. In the event that the vendor is no longer permitted to transmit on behalf of the domain owner, the domain owner always has the option of reclaiming the delegated subdomain.
CNAME
When a domain owner utilizes CNAMEs to refer to DKIM data held by a vendor, this is known as CNAME-based delegation. The domain owner can allow a vendor to produce DKIM signatures in this fashion, and the vendor is responsible for the DKIM signing mechanisms. If a domain owner needs to revoke an authorization, they can do so by removing CNAMEs, which essentially breaks the link between the domain owner and the vendor.
Manually
Manually establishing a fresh DKIM key, setting an email server with the private component of the DKIM key, and publishing the public portion of the DKIM key in the domain owner’s DNS are all ways to rotate DKIM keys. Manual setup is the last alternative when it comes to synchronizing email servers, DKIM keys, and DNS entries since it requires a lot of cooperation across teams and systems.
That is all you will need to know to rotate your DKIM keys. To learn more about email authentication, check out EmailAuth and use our free DKIM checker tool to check your DKIM record.
Note: EmailAuth.io is part of the Infosec Ventures group and our core value lies in taking care of your most valuable digital asset: Email. We thrive to increase your Email Deliverability and help you get the maximum ROI from your mailing campaigns and increase trust amongst your customers, partners and vendors!
Original source: https://infosecventures.blog.fc2.com/blog-entry-1.html