2

Can I simply change the RSA key used in DKIM (DNS TXT Record) without changing the DKIM selector or will this result in any issues?

If not, what's them the purpose of the DKIM selector?
BTW: 20120113 is the selector I'm talking about in 20120113._domainkey.gmail.com

Florian Schneider
  • 293
  • 3
  • 8

3 Answers3

5

As you can read here "....A selector is added to the domain name, used to find DKIM public key information...".

Also, in Wikipedia terms: "...The receiving SMTP server uses the domain name and the selector to perform a DNS lookup [...] the selector is a straightforward method to allow signers to add and remove keys whenever they wish..."

In other words, if you are sending a DKIM-signed e-mail, you have to tell external mail-servers HOW they can retrieve your RSA key to check the validity of your email. The RSA-key is published into your DNS, ok, but WHERE? Which DNS-query will retrieve it? How will they know which DNS query/record resolve? This is where the selector plays its role: if you are sending mail from the example.com domain and, in your mail, you declare whatever as selector then:

  • in the outgoing mail-header you need to reference your domain and related selector, like in:

DKIM-Signature [...] d=example.com; [...] s=whatever

  • in your DNS you have to provide a TXT record for whatever._domainkey.example.com publishing your RSA key, like in:

whatever._domainkey.example.com IN TXT "k=rsa\; t=s\; p=MIGfMA[...]AQAB"

As you can see, the DNS-query is in the form <selector>._domainkey.<your_domain>

Based on this, we can say that:

  1. the RSA-key can be replaced/updated without any impact on the selector. Obviously it's critical that, when you update one side of the key (the public one, published on the DNS), you change also the other side (the one used to "sign" your outgoing mail);

  2. if you leave the selector unchanged while updating the RSA-key, than a side effect is that.... remote clients (not servers; I'm talking about MUAs) that for whatever reasons want to check the DKIM-signature included in their old/archived e-mails, will fail the verification process (as the archived e-mail has been signed with a private-key whose public-one, the one published on the DNS, has been updated and now is different!).

I want to add that, in my experience, I'm used to think that DKIM-signing/verification is a process targeting the transport of the e-mail, and not the verification client-side. So I would bet that it's quite safe to update the KEYs leaving the selector untouched.

By I also think that.... if you're going to update the KEYs, than you've to change both your signing-code (that need to point to new private-key) and the DNS (to publish the new public-key in the TXT record). So, why not to change also the selector (again, at both side?). You will end up having TWO selectors published on the DNS, one pointing to the old-key and another one pointing to the new one. In this way, everything will be fine during SMTP-transport and, also, MUAs will be able to validate old/archived e-mails as the old-key, associated to old selector, is still available.

Damiano Verzulli
  • 3,948
  • 1
  • 20
  • 30
  • `I want to add that, in my experience, I'm used to think that DKIM-signing/verification is a process targeting the transport of the e-mail, and not the verification client-side. So I would bet that it's quite safe to update the KEYs leaving the selector untouched.` Be careful with this assumption. DKIM has nothing to do with transport; the signature is a header like any other that is irrelevant to transport or routing. DKIM is used by the receiver specifically to verify whether the message truly originates from the sender indicated and was not modified in transit. – cmeid Jan 06 '16 at 23:36
  • @cmeid: I agree that such a statement sounds a bit strong. What I mean is that it's common to have DKIM-checking activities **inside** the final SMTP-server (there are plenty of content-filters for Postfix or other SMTP-servers, as well as other plenty of email filters --antivirus, antispam, etc.-- out there). But once the message has been delivered, by the final SMTP server, to the user mailbox, than it's only a matter of the MUA... and I'm not aware of any MUA doing DKIM-verification of e-mails, nor during POP3/IMAP fetch, nor later on. What's your opinion on this? I'm really interested BTW! – Damiano Verzulli Jan 06 '16 at 23:56
  • I see what you mean now. DKIM should be verified sometime before final delivery, by an MTA before the MDA. After delivery, the MUA *may* do something based on the `Authentication-Results:` header, but it should not re-validate the actual signature. (Not least for the reasons above, that keys may have been rotated or de-published in the interim.) – cmeid Jan 07 '16 at 18:48
3

Can I simply change the RSA key used in DKIM (DNS TXT Record) without changing the DKIM selector or will this result in any issues?

Yes, you can, but without a good reason I would strongly advise not to do so.

Here are some reason why reusing the selector would not be a good idea:

  • DNS changes can take some time to propagate. If a selector is reused after a key change, this can result in the verification failing for e-mails send shortly after the key change.
  • You do not know how much time will elapse between sending and verification. This could result in older messages failing the verification after the key change. Some possible reason for the delay:
  • Message getting stuck during transit.
  • Although I think very uncommon, verification can also happen inside the MUA ([there exists an add-on for Thunderbird which does this][1])
  • From the RFC: "Reusing a selector with a new key (for example, changing the key associated with a user’s name) makes it impossible to tell the difference between a message that didn’t verify because the key is no longer valid and a message that is actually forged. For this reason, Signers are ill-advised to reuse selectors for new keys. A better strategy is to assign new keys to new selectors."

What's the purpose of the DKIM selector?

"To support multiple concurrent public keys per signing domain". Here are some use-cases for concurrent keys:

  • "Beyond administrative convenience, selectors make it possible to seamlessly replace public keys on a routine basis."
  • Allow different entities to sign your e-mails (with a different key and selector) without the need to share a private key. This is useful for:
  • delegating signing to an external organization
  • administratively distributed organizations
  • Make it possible to explicitly revoke a key (by leaving the public-key data (the "p=" tag) empty).

All quotes are from the [RFC 6376][2]. [1]: https://addons.mozilla.org/en-US/thunderbird/addon/dkim-verifier/ [2]: https://www.rfc-editor.org/rfc/rfc6376#section-3.1

Community
  • 1
user228011
  • 226
  • 1
  • 2
1

You can do this. It's not necessarily BCP though.

The reason to have multiple selectors is specifically so that a key can remain valid for a period of time after being rotated.

For example, if you change the RSA key used in selector 20120113, then any message that was still in a queue somewhere and is later delivered will fail DKIM because the key has changed.

Ideally, you would publish a new key, 20160106 if you did it today, and add that as an additional selector. That way, messages using both keys can be validated. After a reasonable period of time, say two weeks, you can depublish the old key.

(I am assuming you don't really mean the key 20120113._domainkey.gmail.com literally? If you really are talking about a Gmail key, stop and talk to John RG internally before changing anything.)

cmeid
  • 386
  • 1
  • 3