1. Key Length: Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services. 
  2. Rotation: Keys should be rotated at least twice per year to reduce the period of time the key could be maliciously used to compromise the integrity of email.
  3. Expiration: Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)
  4. Test Mode: The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.
  5. Monitoring: To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
  6. DomainKeys is a deprecated protocol; use DKIM instead. (See: What is the difference between DomainKeys and DKIM?)
  7. Hashing Standards: Deprecate the use of SHA1 for hashing and move to SHA256 as per RFC 6376, Section 3.3. 
  8. Third Party Mailers: Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.

Create a free OnDMARC account to view your DKIM functionality.

Did this answer your question?