DKIM Selector

DKIM Selector

DKIM (DomainKeys Identified Mail) is a protocol for using public-key cryptography to verify that email is authentic and has not been tampered with. To accomplish this, DKIM uses public-key cryptography and hosts public keys on special subdomains that are located using an identifier called the?DKIM Selector?in an email’s headers. This makes the selector not merely an important part of DKIM but one that is absolutely integral: Without the selector, recipients wouldn’t know where to look for the public key.

In this article, we provide the details of what a DKIM selector does, using real examples of production DKIM selectors on live domains. We’ll then walk you through an illustrated guide to setting up your own DKIM keypair using Google Workspace, which you can point your selector to. Finally, we’ll provide some best practices to ensure that your DKIM selector is secure and reliable.

Before we begin, let’s cover some basic technical terminology that will be required to understand the rest of the content.

No alt text provided for this image

How a DKIM Selector Works

A DKIM selector is simply a specific DNS label or a name that identifies a location in the DNS where a public key is published. Setting up a DKIM selector is as easy picking a random name to use as your selector, configuring your mail server to use that as your DKIM selector, and publishing a TXT record with your public key to the subdomain?selector._domainkey.example.com, where?selector?is whatever selector you chose, and?example.com?is your domain name.?

When you configure your outgoing mail server for DKIM, you’ll have to tell it what selector you’re using so it can include that selector in the DKIM-Signature header of all outgoing emails. Using this header, recipients will know what subdomain to query to find your public key and thus be able to verify your DKIM signature and know that your email is legitimate.?

But enough theory—let’s take a look at some existing DKIM selectors and see what they look like and how they work.?

Analyzing a Real DKIM selector

Gmail is the most popular email provider by a large margin, with over 50% of the US market,?according to TechJury. Let’s look at the headers of an email sent from Gmail and find the selector. Here are the raw headers:

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed
    	d=gmail.com; s=20210112;
    	h=mime-version:from:date:message-id:subject:to;
    	bh=5pSA59B/++wEmEvVdANtcX6VWOlY9vhzaru62DcmQas=;
    	b=A4U3Vs+mPJ/xCgPyvDHl5eIVwc2SBBXcdLV/PrN;        

The selector can be found via the?s?tag, which here points to 20210112. Now we just do a DNS lookup for TXT records at?20210112._domainkey.gmail.com?and we should find the DKIM public key. Let’s see what happens:

$ dig -t TXT +noall +answer 20210112._domainkey.gmail.co
20210112._domainkey.gmail.com. 300 IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8JxVBMLHZRj1WvIMSHApRY3DraE/EiFiR6IMAlDq9GAnrVy0tDQyBND1G8+1fy5RwssQ9DgfNe7rImwxabWfWxJ1LSmo/DzEdOHOJNQiP/nw7MdmGu+R9hEvBeGRQ"m        

Seeing that we do, in fact, see such a record, note that it contains three tags. The?v?tag refers to the version, which is DKIM1, and?k?refers to the key algorithm, which in the wild will always be?rsa. Most important is the?p?tag, which contains the sought-after public key.?

Deploying a DKIM Selector Via Google Workspace

Now that we’ve had the pleasure of picking apart a DKIM selector created by highly experienced admins at Google, let’s solidify that understanding by creating our own DKIM keypair from scratch that we can publish and to which we can point the selector. To accomplish this, we’ll use Google Workspace.

First, log into your?Google Admin Console.

No alt text provided for this image

From the Admin Console, open the hamburger menu in the top left corner and click?Gmail. You should now see a page dedicated to Gmail admin settings that looks something like Figure 2.

No alt text provided for this image

Once here, click the?Authenticate Email?option and select the domain for which you want to set up the DKIM selector. You’ll see a button that says?Generate New Record. Click it, and you should be presented with the menu in Figure 3

No alt text provided for this image

This is the screen where we’ll actually implement our selector! Set the key bit length to 2048, then change the selector from?google?to whatever you want. You can pick anything, or even leave it as?google, which is the default. In the best practices section below, we’ll offer some recommendations for which of these choices is the best.

If you have any difficulty following the above instructions, an excellent video tutorial for implementing a DKIM selector can be found on the?Google Workspace Youtube channel.

Best Practices

Before wrapping up, let’s look at some basic suggestions for implementing a DKIM selector in the most secure way.

Rotate DKIM Selectors

The key itself should be rotated frequently, replacing the old key with a new one. Given enough time, attackers could crack the key and thus be able to send emails from your domain that would pass DKIM verification. How much time is enough? According to a report by Quintessence Labs titled?Breaking RSA Encryption – an Update on the State-of-the-Art, “It would take a classical computer around 300 trillion years to break a RSA-2048 bit encryption key.” So using a strong, 2048-bit key dramatically mitigates this risk. Nevertheless, it’s also possible for keys to leak by accident or be stolen, and sometimes this occurs without the admins ever finding out.?

A rotation policy means that even if a key is stolen, it will only work for a brief period of time. If the attacker gets a key after it has been rotated out, it will be useless.

Set a Low TTL on TXT Records

Keys are rotated by publishing a new key at a new location, not by editing an existing DNS record. However, if there is a mistake or error, it may be necessary to change the key on an old selector. If that happens, we want the new key to be quickly propagated.?

“TTL” stands for “Time to Live” and refers to the amount of time a DNS record lives in the cache of nameservers. A TTL between 60 and 300 seconds is optimal.

Publish Old DKIM Keys

Imagine that a hacker leaks sensitive emails from your organization to sell on the dark web, blackmail your employees, or cause a scandal in the press to hurt your business. The hacker would need some way to prove that the emails were authentic. Otherwise, buyers or the public may suspect that the emails weren’t real and that the attacker just created them.

If the emails have a valid DKIM header, that would be?proof?that the emails are authentic! In other words, DKIM can help attackers prove that stolen emails are legitimate.

To solve this, you can simply publish old private keys after rotating them out of use. That way, as long as the emails are old enough that the key for them has been rotated out, anyone could have created the email with a “valid” DKIM header. In other words, publishing old, rotated private keys offers plausible deniability in case old emails are stolen, making the authenticity of leaked emails from your organization harder for attackers to prove.

For a deeper explanation of this practice, read the article?Ok Google: please publish your DKIM secret keys.

Conclusion

Email security protocols can look like an impenetrable labyrinth of obscure technical terminology. As the means for connecting the received email in a user’s inbox with the public key needed for verifying the authenticity of the email, the DKIM selector is a core feature of DKIM and, therefore, the email security ecosystem.

By breaking down complex concepts and looking at single features in isolation, such as DKIM selectors, new admins can build towards understanding the bigger picture.

This article was originally published on https://www.valimail.com/email-security-best-practices/dkim-selector/

要查看或添加评论,请登录

社区洞察