- Key Length: Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services.
- Rotation: Keys should be rotated at least twice per year to reduce the period of time the key could be maliciously used to compromise the integrity of email.
- Expiration: Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)
- Test Mode: The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.
- Monitoring: To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
- DomainKeys is a deprecated protocol; use DKIM instead. (See: What is the difference between DomainKeys and DKIM?)
- Hashing Standards: Deprecate the use of SHA1 for hashing and move to SHA256 as per RFC 6376, Section 3.3.
- Third Party Mailers: Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.
Create a free OnDMARC account to view your DKIM functionality.