It all starts with the DKIM

With the rise of domain reputation, DKIM has become the most important element of email authentication and is fundamental to additional protocols such as DMARC and BIMI.

That’s why it’s important to take a step back and focus on proper DKIM signing, and to follow ongoing developments that will further improve the reliability of DKIM and provide a solid foundation for DMARC and BIMI.

As quickly as the email community develops these standards, the spammers are adapting and finding ways to continue to abuse email for spoofing, phishing, and anything else you can think of.

Understanding DKIM body length

DKIM was created to prove the integrity of an email and includes several parameters specified in RFC 6376 to provide additional metadata for signature validation. This time we’ll focus on two parameters becoming important for commercial bulk email.

• the “l=” tag – body length – specifies the length of the part of the text body that has been signed to limit the validation of the signature.
• the “x=” tag – signature expiration – signatures may be considered to be invalid if the time of verification at the verifier is after the expiry date.

Recommendation for DKIM

To create a more solid foundation for the DKIM authentication we recommend the following two practices to improve email security for outbound emails.

1. Sign your complete email body and remove the “l=” tag from your DKIM signature. When no “l=” tag is specified, the MBP considers the whole email body to be part of the DKIM signature and validates it.
   The most critical part of an email, and the biggest security threat to the average end-user, is the body. It contains the content – the links, the text, the images. We all know that emails from well-known and trusted organisations can be captured by a spammer, manipulated and sent back to their original destination.
   Although the body length specifies the full body of the email, it is a limit and validation ends there. A fraudster will use this limitation to add their own cruel additions and create a threat for the receiving end user.
2. Set an explicit expiration date using the ‘x=’ tag to limit the validation of your DKIM signature. The DKIM signature for bulk commercial email is only required for initial inbound authentication. The receiving MBP only needs to validate the incoming commercial email once and does not need to retain the DKIM signature. For bulk commercial email, the DKIM should expire within a maximum of 48 hours. This reduces the window of opportunity for fraudsters to position their email scams.

Latest research and its consequences

Especially the body length parameter has already been mentioned as a potential vulnerability in the RFC 6376 (8.2 Misuse of Body Length Limits).

Now this long-known vulnerability seems to be attracting new attention as recent research (please, see Zone Media OÜ – Blog) suggests it is being used for email abuse. Some mailbox providers are responding by planning to filter out emails with a body limit. We believe that due to this uncertainty, email blocking cannot be ruled out.

The critical side effect is the credibility of DMARC and BIMI. If the real vulnerability lies in the basic authentication protocol used, they lose their value and jeopardise the long-overdue adaptation.

But it is still in our hands. ESPs could easily update their DKIM signing practices and close this rabbit hole.