1. Key Length:

    Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services. 

  2. Rotation:

    Keys should be rotated at least once per year to reduce the period of time the key could be maliciously used to compromise the integrity of email. Here is a great document on DKIM key rotation:

  3. Expiration:

    Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)

  4. Test Mode:

    The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.

  5. Monitoring:

    To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.

  6. DomainKeys is a deprecated protocol; use DKIM instead. (See: What is the difference between DomainKeys and DKIM?)

  7. Hashing Standards:

    Deprecate the use of SHA1 for hashing and move to SHA256 as per RFC 6376, Section 3.3. 

  8. Third Party Mailers:

    Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.

Create a free OnDMARC account to view your DKIM functionality.

Did this answer your question?