What are the advantages of rotating DKIM keys?
Rotating DKIM (DomainKeys Identified Mail) keys is an important security measure that helps to maintain the integrity and trustworthiness of email communication. DKIM keys work by allowing the recipient's email server to verify that the message received from the sender has not been tampered with in transit and was indeed sent by the domain owner.
By regularly rotating DKIM keys, a domain owner can prevent unauthorized access to their email system and minimize the risk of email spoofing and phishing attacks. If a DKIM key is compromised or leaked, an attacker can use it to sign fraudulent emails that appear to come from the domain owner, resulting in a loss of reputation, credibility, and potentially financial damage. Rotating the DKIM keys periodically minimizes the damage that could occur from such attacks.
How frequently should DKIM keys be rotated?
The members of the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) explored various rotational frequencies and came to the conclusion that DKIM keys should realistically be rotated twice a year. M3AAWG also added the following:
It is important to understand the various factors involved when deciding on the frequency that works for a specific organization. While a more frequent rotation (e.g., quarterly) would lower the risk of a key being cracked, operational realities may prevent such an aggressive schedule. Similarly, a longer frequency (e.g., yearly) not only increases the risk of a compromised key, but also diminishes the value of the institutional knowledge gained
You can read the M3AAWG's DKIM Key Rotation Best Common Practices document here.
Is there a standard process for rotating keys with every service?
No, the process of rotating DKIM keys may vary depending on the email service used. Generally, there are three ways in which email services handle DKIM key rotation.
Some email services automatically rotate the keys at regular intervals. For example, Amazon SES employs this approach to ensure that the DKIM keys are regularly updated and kept secure.
Email services that allow customers to rotate the keys themselves. For this, there is usually a script or place in the email service UI where you can activate the key rotation. Microsoft Office 365 falls into this category.
Manually rotating the keys. This process requires the customer to generate a new DKIM key, publish it in the DNS, and then activate it on the email service side.
It is important to note that the DKIM key rotation process can differ from service to service, and customers should consult the documentation or support resources provided by their email service to understand the specific procedures involved.
When it comes to email authentication, both Microsoft Office 365 and Google Workspace (formerly known as G Suite) utilize the DomainKeys Identified Mail (DKIM) protocol to add a layer of security to outbound emails. However, there are differences in how each platform handles the rotation of DKIM keys.
Rotating DKIM keys in Microsoft Office 365
Microsoft Office 365 employs two DKIM keys and uses CNAME records, which simplifies the process of rotating keys. This approach allows for easy key rotation without requiring customers to modify their DNS records.
Rotate the keys from the Microsoft 365 Defender portal
In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Email Authentication Settings in the Rules section > DKIM. To go directly to the DKIM page use the following link: https://security.microsoft.com/dkimv2.
On the DKIM page, select the domain by clicking on the name.
In the details flyout that appears, click Rotate DKIM keys from the bottom right.
Repeat these steps for each custom domain.
In case the Rotate DKIM keys button is grayed out, it means that you do not have DKIM configured for your custom domain. Follow the steps from this article in order to set up DKIM.
Rotate the keys using PowerShell
When you already have DKIM configured, rotate the signing key by running the command below in PowerShell:
Rotate-DkimSigningConfig -KeySize 2048 -Identity <DkimSigningConfigIdParameter>
Regardless if you rotate the keys through the Microsoft 365 Defender portal or using the PowerShell command, the rotation will not happen instantaneously.
To see the date when the rotation will happen, run the command below in PowerShell and verify the RotateOnDate line.
Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | Format-List
Rotating DKIM keys in Google Workspace
Google Workspace uses a single public DKIM key, which is published in the DNS as a TXT record. As a result, rotating keys on this platform can be a complex process. To rotate a DKIM key in Google Workspace, the administrator must generate a new key, publish it in the DNS, and then validate it from the Google admin console. During the key rotation process, the old DKIM key will not sign emails, which means that any emails sent from Google Workspace during this time will not be DKIM aligned. There are a few things to take into consideration before starting this process:
Verify that SPF is properly configured for Google Workspace. Since DKIM authentication will be disabled during the process of generating, publishing, and validating the new key, you need your emails to be authenticated with SPF.
Perform this task outside of business hours, when there is less traffic of outbound emails from Google Workspace.
Make sure that all the stakeholders involved in this process are aware of the steps that need to be carried out. The Google Workspace admin, your DNS team, or the group managing your Valimail account (in case your domain is pointing DKIM to Valimail), all need to be aware of the exact steps that they need to complete and when they need to do them. If all the parties involved in this process are well coordinated, rotating the keys will only take a few minutes.
To generate a new DKIM key in Google Workspace follow these steps:
Open your Google Admin console (at admin.google.com)...
Go to Menu
Click Authenticate email.
In the Selected domain menu, select the domain for which you will generate the new key.
Click the Generate New Record button.
From the Select DKIM key bit length drop-down choose 2048.
In the Prefix selector (optional) field you can type a new selector name or use the default google. In case you choose a selector name that matches the old DKIM key, you will need to delete the old key from the DNS or from Valimail (in case your domain is pointing DKIM to Valimail) before you can publish this new key.
Click on Generate.
The next step is to publish the new DKIM key in your DNS, or in Valimail Enforce in case your domain is poting DKIM to Valimail. Once the new DKIM key is published, go back to the Authenticate email page in the Google Admin console, and click on the Start Authentication button.