2

Do you find it necessary to regenerate your DKIM keys every 1-6 months to avoid your mail going into the receiving servers' junk mail folder?

Some guides recommend this, some even say it's "Best Practice" to do so, but most other guides don't mention it at all. Evidently it is Best Practice to do so, but what is your real world experience?

Just modernized my old Debian 7 Postfix server to include DKIM + DMARC (+ SPF) and want to know if I should be doing ongoing maintenance to regenerate the keys.

What are most people doing? What are your real world experiences? Have you noticed old keys being the cause of your mail being sent to the junk folder?

I'm a low-volume sender, maybe 5-10 emails/day get sent through my server.

Jeff
  • 1,406
  • 3
  • 26
  • 46
  • @anx Oh yeah? Try explaining that to Microsoft who just banned my SMTPs' IP address from sending to any of their domains (outlook.com, live.com, msn.com, hotmail.com) even though my IP is thoroughly clean (no blacklists, proper PTR, proper SSL cert, SPF, DKIM, DMARC). – Jeff Oct 09 '20 at 15:27

1 Answers1

2

Is it necessary to rotate DKIM keys?

Only so far as it is necessary to regularily train all other disaster recover procedures. It is certainly helpful to just do it regularily, but for most (smaller) operations, monthly rotations would be way overkill and steal away resources from other, more important regular checks & drills.

There used to be an argument about people factoring (learning the keys without compromising your server) the keys, but you should not be using old algorithms with short keys anyway (These days, you can transport >=1024 bit RSA keys over DNS, and more recently ed25519 has been proposed as the next algorithm as RSA looks increasingly slow & bulky in comparison).

But what if recipients interpret my rare key rotations as a spam signal?

If I were to utilize DKIM key age as a parameter in my spam filtering, I would assign a negative score to recently first-seen keys, because that happens to more strongly correlated with spam content.

But even if this is not the case for other recipients, its probably not one of the signals most would care about, in terms of effect size. There are almost infinitely stronger indicators for shady or badly maintained operations, it is rarely necessary to even look at the age of the utilized DKIM key when you can look at much simpler and much stronger indicators.

For a detailed discussion of the things that are stronger indicators see the canonical question about fighting spam

What are your real world experiences?

Some recipients keep a list of indicators (IPs, Networks, names, naming patterns(!), dkim keys) and derive reputation data from correlating them. Those recipients may less likely cause trouble for you if you avoid changing both DKIM keys and IP addresses at once - as long as there is overlap, they can automatically assume both are owned by the same party. If they do not realize the new key is owned by the same party, you will be treated as unknown, and in terms of spam filtering, unknown means stricter filters.

Have you noticed old keys being the cause of your mail being sent to the junk folder?

Only in the context of old keys no longer fulfilling the minimum requirements (RSA keys shorter than 1024 bits are no longer deemed useful for everyone). This is, however unrelated to the actual key age, just happens to be more likely for keys generated before such large keys could be reliably transported in DNS.

anx
  • 6,875
  • 4
  • 22
  • 45
  • Do you consider a random email to my mother as *unsolicited* mail? If so, at least half of my mail is unsolicited. Would love to hear your thoughts on my Microsoft comment above, I'm still in a state of shock about it, which led me to post this question on serverfault. – Jeff Oct 09 '20 at 17:17
  • @Jeff Unless any recipient repeatedly clicks `Report Junk Mail` instead of `Delete` (which, by the way, is a very real scenario because webmail interfaces are often horrible at correctly explaining the buttons), I would not expect personal mail to play any role in automated spam filtering. But maybe you want to explore the *if its not me, maybe its others in my network* avenue.. – anx Oct 09 '20 at 17:25
  • Okay thanks. I have a /26 block of IPs and the only IP I know for sure Microsoft blocked was just one of them - my SMTP server. It happened after I (successfully) sent an email to a friend with a live.com address. He then replied to me, and I then tried to reply to him only to receive an Undeliverable Message stating that my IP was on the M$ blocklist. – Jeff Oct 09 '20 at 17:36