DKIM key rollover without loss of functionality.
Idea shared by Douglas Foster - 11/30/2021 at 11:45 AM
For extra security, DKIM keys should be rotated periodically to protect against the possibility of brute force attacks against a signature that is never changed.   To ensure no interruption of service, it should be possible to configure a new scope and key without activating it and without disabling the previous scope and key.    This allows time for the public key to be loaded into DNS and propagate.   After propagation is complete, the new scope can begin.

Currently, Smarter checks that the public key is in DNS before use, but it does not permit two keys to be enabled at the same time.   This means that the old key must be disabled before the new key can be configured.   During any delay between deletion of the old key and activation of a new key, outgoing messages will be sent without any signature.  Additionally, if the new key is activated before DNS propagation is complete, I think that some messages signed with the new key may fail to validate if the new key is not yet visible to the recipient system.

For organizations like mine that publish DMARC p=reject, sending a message that is not signed or signed with an unverifiable key is a problem.   This can be evaded by changing our DMARC record to p=none, and waiting for DNS propagation, before making the change.   But this is all too complicated and inconsistent the purpose of publishing DMARC p=reject.   It should be possible to replace the key without altering the verification status of our messages.

1 Reply

Reply to Thread
Kyle Kerst Replied
Employee Post
I think this is a great idea Doug. Being able to stage a new DKIM key while it propagates makes a lot of sense and would ensure a smooth change. I'm going to get a ticket submitted to accompany this post and will send it over to our Product Management team for review. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread