OnDMARC

Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services.&nbsp;

Keys should be rotated at least once per year to reduce the period of time the key could be maliciously used to compromise the integrity of email. Here is a great document on DKIM key rotation: 

Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)

The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.

To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.

DomainKeys is a deprecated protocol; use DKIM instead. (See: <a href="https://knowledge.ondmarc.com/learn-about-dkim/what-is-the-difference-between-domainkeys-and-dkim" rel="nofollow noopener noreferrer" target="_blank">What is the difference between DomainKeys and DKIM?</a>)

Deprecate the use of SHA1 for hashing and move to SHA256 as per <a href="https://tools.ietf.org/html/rfc6376#section-3.3" rel="nofollow noopener noreferrer" target="_blank">RFC 6376, Section 3.3.</a>

Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.

1. Key Length: 
 Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services. 
 
2. Rotation: 
 Keys should be rotated at least once per year to reduce the period of time the key could be maliciously used to compromise the integrity of email. Here is a great document on DKIM key rotation: 
 DKIM Key Rotation Best Common Practices
 
3. Expiration: 
 Signatures should have an expiration period greater than your current key rotation period. Old keys should be revoked in DNS as appropriate. (Delete the contents from the “p=” field.)
 
4. Test Mode: 
 The “t=y” declaration is for testing only. Experience has shown that several mail providers ignore the presence of the DKIM signature when they find “t=y”. This mode is to be used for a very short period and only during the initial DKIM ramp-up.
 
5. Monitoring: 
 To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
 
6. DomainKeys is a deprecated protocol; use DKIM instead. (See: <a href="https://knowledge.ondmarc.com/learn-about-dkim/what-is-the-difference-between-domainkeys-and-dkim" rel="nofollow noopener noreferrer" target="_blank">What is the difference between DomainKeys and DKIM?</a>)
 
7. Hashing Standards: 
 Deprecate the use of SHA1 for hashing and move to SHA256 as per <a href="https://tools.ietf.org/html/rfc6376#section-3.3" rel="nofollow noopener noreferrer" target="_blank">RFC 6376, Section 3.3.</a> 
 
8. Third Party Mailers: 
 Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices.