Server-wide DKIM-Keys / DKIM-Key rotation impractical
Idea shared by info - 8/23/2021 at 8:40 AM
Ideally, DKIM-keys should be rotated regularly. Besides that cryptoanalytic progress could make it necessary to upgrade key lengths or algorithms.  
As SmarterMail generates DKIM keys for each domain individually, rotating DKIM-keys is fairly time consuming to achieve for a larger setup.  

I do understand that having different DKIM keys may have a security benefit.
If domains were heavily sandboxed it could be better to have only a single domain's key compromised. To my understanding however, the 'settings.json' files in which the DKIM private keys are stored, are readable by any Windows user; so the sandboxing argument does not apply.  

Another argument might be a prevention against header spoofing by other domains on the server.  

The ideal solution would be, in my opinion, to have a single DKIM key per server; for example:

→ hostname._domainkey.example.com TXT "v=DKIM1 [...]"

All domains could have their DKIM records pointing to the server DKIM record through CNAMEs; for example:

→ 3bde06e4._domainkey.otherexample.com CNAME hostname._domainkey.example.com.

Giving all the domains different DKIM selectors would prevent the spoofing of the From-header by other domains on the same server, but would allow for very quick key rotation.  

Having a single server-wide DKIM key would speed up significantly:
→ regular DKIM key rotation,
→ key length or algorithm improvements,
→ incident based key rotation (which must be quick!)

1 Reply

Reply to Thread
We have developed an administrative program to do some repetitive things

1) domain creation (via api)
2) creation of a series of standard aliases for the domain (webmaster, postmaster, superuser etc) always via API
3) creation of custom DKIM selector and related key that is the same for all domains that points to a cname of the various domains (done by modifying the json file)
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Reply to Thread