OTA Security Advisory --- DKIM Key Strength

Late last week, an advisory was published by the Online Trust Alliance (OTA) with a “severe / immediate action required” status.

Here is the advisory:

The ability to exploit weak DKIM keys has recently been highlighted in the media. This awareness means that all senders should immediately  remediate any inadequate DKIM keys and evaluate existing processes around DKIM key management.
 
OTA recommends the following:
 
1.       Key lengths of at least 1024 bits should be employed. Key lengths of less than 1024 bits should be avoided due to their ability to be broken through the use of distributed computing resources.

2.       Key records should be evaluated to ensure the proper use of the DKIM “testing flag”.  Senders should only use the testing flag during initial roll out.  Receivers should check their verification code to ensure that the “testing flag” is obeyed and interpreted correctly.
 
3.       Key rotation management is a critical process to the ongoing management of effective DKIM deployments.  Organizations should automate — as much as possible — the provisioning, publishing, and rotation of DKIM keys with at least a quarterly frequency.

4.       Instruct your email service provider to be update their authentication for any sub-domains / domains they manage

In addition OTA recommends the following:

1.       Review your SPF record, validate the need and accuracy of any “includes” (use the tool at https://otalliance.org/resources/authentication/spflookup.html)

2.       Consider publishing a DMARC record  https://otalliance.org/resources/authentication/dmarc.html

For additional information and support regarding successful DKIM deployments, visit OTA or email staff [at] otalliance [dot] org