Google Is Failing Your Perfectly Good DKIM Key (and Why That’s a Good Thing)

If you have noticed your email authentication key for DKIM failing recently, you are not alone. Google recently announced they will immediately begin failing DKIM keys less than or equal to 512-bits.

A mathematician recently cracked Google’s weak 512-bit DKIM key and impersonated founders Sergey Brin and Larry Page via email. A recent Wired.com article relating the story started a rush in the email industry to create new DKIM keys stronger than 512-bits. Google is taking this security issue seriously by requiring all senders to sign with a 1024-bit DKIM key. The first phase includes failing anything signed with a 512-bit key or less. A 768-bit key will be accepted for the next few weeks. Google also announced that they will begin emailing postmaster aliases of domains found using weak keys as early as this week.

DKIM keys failing at Google can negatively impact senders in a few ways. Senders that have a published list-unsubscribe header and also a failing DKIM key may mean your subscribers may not have the option to unsubscribe when they mark emails as spam, which in turn can cause complaint rates to edge higher. Additionally, Gmail users that opt to show signed emails in the inbox may not see the icon and lack trust to open your emails. No one’s emails will be blocked outright for failing DKIM, but there is a small risk if you have a published DMARC policy and you happen to fail both DKIM and SPF.

To determine if your emails are failing DKIM due to a weak key, or if you need to upgrade from a 768 -bit key, do the following:

  1. Send a test email to Gmail, or to your Return Path seeds. Check the headers for the following line: Authentication-Results: mx.google.com; spf=pass (google.com: domain of xxx@xxxxx.xxx designates xxx.xxx.xxx.xxx as permitted sender) smtp.mail= xxx@xxxxx.xxx; dkim=pass header.i=xxxxxx.xxxIf it says dkim=pass, you are good for now. If it says dkim=fail, you should upgrade your key immediately.
  2. Send an email to checkmyauth@auth.returnpath.net from each of your DKIM signed domains. Our DKIM reflector sends a report and notifies you if you are signing with a DKIM key less than 1024-bits.

At Return Path, we also plan to perform manual, ad hoc validation of key lengths for our anti-phishing solution customers upon request. If you’re not a customer, you can use our reflector mentioned above, or contact us and see how we can help.