1. 10
  1. 4

    The recommendation to rotate DKIM keys can cause problems. Rotating DKIM keys involves two steps:

    • Add a new key with a new selector and use this to sign new outgoing mail.
    • Remove the old key.

    The first one is very easy to do but doesn’t protect against this kind of attack. The second prevents replay attacks but also causes emails sent before the key rollover to fail to verify. An email caught in a greytrap or held up in a human-moderated mailing list may be blocked for a day or more before reaching the final recipient(s), at which point it will fail the DKIM check if the key has been revoked.

    Regularly rolling over keys such that you have one in-use key and one old key that is no longer used for signing but is still valid is a good idea but it is difficult to do the ‘I’m under attack, quick, roll over keys’ thing that the article implies that they did without preventing delivery of legitimate email.

    1. 2

      Sigh, while I understand the rationale I feel designing an anti-spam system with a built in replay mechanism is questionable