Wandering Thoughts archives


DKIM signature types (algorithms) that we see (as of July 2022)

A lot of email these days is signed with DKIM, partly because signing email with DKIM is increasingly mandatory in practice. But 'signed with DKIM' is a broad category because DKIM has more than one signing algorithm and on top of that is used with (public) keys of different lengths.

What signing algorithms DKIM supports in practice is a matter for some discussion. The initial DKIM RFCs, such as RFC 6376, support rsa-sha1 and rsa-sha256. RFC 8301 deprecates rsa-sha1 and says that it shouldn't be used (and that a message with only a rsa-sha1 DKIM signature should be considered to fail validation). RFC 8301 also says RSA keys must be at least 1024 bits long and should be at least 2048 bits; again, messages with too-small keys should be considered to fail validation. RFC 8463 defines Ed25519 based DKIM keys, but apparently very few big providers actually support them, which makes them relatively pointless and useless in practice. Probably the most broadly useful algorithm and key length is rsa-sha256 with 2048 bit keys.

Over the past ten full days, our central mail server has seen almost 85,000 DKIM signatures on 75,100 messages (a single message can have multiple DKIM signatures). Over the same time the machine received about 96,000 messages (7,000 of them internally generated by users and machines here). Signature algorithms break down as follows:

 44074  a=rsa-sha256 b=1024
 37865  a=rsa-sha256 b=2048
  7141  a=rsa-sha1 b=1024
   311  a=rsa-sha1 b=2048
    18  a=rsa-sha256 b=1016
     8  a=rsa-sha256 b=768
     5  a=rsa-sha256 b=1032
     4  a=rsa-sha256 b=4096
     3  a=rsa-sha1 b=4096
     1  a=rsa-sha256 b=3072
     1  a=rsa-sha1 b=768
     1  a=rsa-sha1 b=2056

If I look only at verified signatures, the numbers are a bit different:

 40270  a=rsa-sha256 b=1024
 32221  a=rsa-sha256 b=2048
  1880  a=rsa-sha1 b=1024
   205  a=rsa-sha1 b=2048
     5  a=rsa-sha256 b=768
     4  a=rsa-sha256 b=1032
     3  a=rsa-sha1 b=4096
     1  a=rsa-sha256 b=4096
     1  a=rsa-sha1 b=768
     1  a=rsa-sha1 b=2056

(Despite RFC 8301, Exim remains willing to verify DKIM signatures using either or both of rsa-sha1 and keys under 1024 bits.)

The largest shrinkage is in 1024-bit rsa-sha1. Since our central mail server sees messages after their subject line may have been marked as spam, some of this drop may be spammers using 1024-bit rsa-sha1. In general our external SMTP gateway sees significantly fewer 'headers probably modified' verification mismatches than our central mail server does. But even our external SMTP gateway sees about 4,400 'headers probably modified' mismatches over the same ten day period.

(And even on our central mail server about 74,600 DKIM signatures across about 62,200 email messages did verify. So a lot of our email does have good DKIM signatures.)

PS: It's a deliberate more or less design decision that if we think a message is spam, we break the DKIM signature by tagging the Subject with a marker. Us tagging the Subject predates any widespread use of DKIM and people here expect it, but when DKIM started to be a thing we (I) thought about it and decided that this was a feature.

spam/DKIMSignatureTypes-2022-07 written at 22:43:39; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.