Is my DKIM key Insecure?

Various folks have been asking lately if their DKIM key might be "insecure." At least one ISP out there is failing working keys with "verification failed; insecure key" as the error. A number of small, second or third tier ISPs note that the DKIM validation passed, but with a warning: "1024-bit key; insecure key."

After talking to folks and doing a bit of investigation, I think that ISP should not be failing the the DKIM signature in question. The key passes perfectly fine elsewhere, and my suspicion is that the ISP in question is running an out of date version of OpenDKIM. I myself have had issues with "insecure" warnings from OpenDKIM -- when that happens, what it's actually complaining is that the sending entity hasn't implemented DNSSEC. As I mentioned in my prior post, yeah, DNSSEC is a good thing and something to look at, but I would posit that it's really not appropriate to level an error (or a big scary warning) in email header over this, because a great number of perfectly fine entities have yet to implement it.

Indeed, the specification governing DKIM signatures (RFC 6376) mentions DNSSEC in passing but does not list it as a requirement.

TL;DR? "Insecure key" just means a sender is not running DNSSEC; it's not common or appropriate to fail a DKIM signature for this reason.

Update: A friend asks, what if the "verification failed" and "insecure key" messages are unrelated? This quite possibly could be the case. Data's a bit thin, but if so, it would still suggest to me that the ISP in question is potentially using a broken or out of date install of OpenDKIM. I am noting that it is likely OpenDKIM due to the "insecure" message and I am suggesting "broken or out of date" due to failing a DKIM key that is working when tested elsewhere. I'll provide an update if/when I learn more about this issue.

DMARC: Gmail "p=reject" policy is coming

First Yahoo. Then AOL. Recently, additional Yahoo domains. Next up? Gmail. DMARC.org announced today that Gmail will move to publish a more restrictive DMARC policy in 2016. Read more over on Word to the Wise. (H/T WTTW)

Add Other Email Accounts to Yahoo Mail

Want to access your AOL or Outlook.com mail via Yahoo! Mail? Yahoo's got you covered.

The deliverability consultant in me wonders exactly how this is accomplished. It might be that only the inbox folders come across and you probably don't get a chance to see anything in your AOL or Outlook.com spam folder. I find a fair number of false positives in my Gmail spam folder; but that doesn't mean that the same would be true of AOL or Outlook, or even of the Gmail spam folder for other regular joe users, who aren't email nerds like we are.

Additional Yahoo Domains to get DMARC "Reject" Policy

You may recall that Yahoo implemented a "p=reject" DMARC policy in April, 2014 for their primary yahoo.com domain name. (And AOL did the same for aol.com shortly after.) This changed the email landscape significantly. Among other things, email forwarding, discussion groups, and spam were all impacted, for better or for worse.

Today, Yahoo announced on the DMARC-Discuss mailing list that they will be similarly implementing a "p=reject" DMARC policy for their ymail.com and rocketmail.com domains on November 2, 2015.

The domains ymail.com and rocketmail.com are alternate domains that Yahoo! Mail users can use when creating an account, thus, they are pretty much equal to yahoo.com when you consider what people use them for or what kinds of traffic you would typically see them used for.

A Yahoo representative also explained that "[in] the coming quarters you can expect Yahoo to publish similar policies for other Yahoo owned and operated domains, including international Yahoo domains (e.g. yahoo.ca), Yahoo Groups, Flickr and Tumblr."

If you run mailing lists or email forwarding, and you've already updated your software to appropriately handle domains with a DMARC "p=reject" policy, you probably don't have to do anything new here, assuming you didn't just hard code your software to special case aol.com and yahoo.com.

⛄ Put a snowman in your subject line ⛄

I'm not going to lie; I think it's a bit silly. But, I get asked about this pretty darn regularly: How can I put symbols in my subject line? Well, it's kind of easy. First, you have to know what symbol you want to use, then you just need to know what the right bit of code is to represent that symbol, and how to paste it into your favorite ESP's editor as the right bit of code.


Thanks to Steve Atkins of Word to the Wise, it's now very easy to answer the "which bit of code" question. Just click on over to the Encoding tool on wiseTools, and type in the name of the character you want to use. You can even type in a partial name and get a list of matches. (Try typing in "star" for example.) After you select a symbol (glyph), you're taken to a page with details of how to copy and paste, or type, the desired symbol in different ways for different uses cases. Copy and paste your bit of code into your email tool, and away you go!

It's pretty easy, and kind of fun to play with, too!

Need DNS Tools?

I've revised the XNND.com simple DNS tools site a bit; I hope you'll find it useful.

If you're looking for more tools, I'd suggest checking out the wiseTools site from Word to the Wise, the email consultancy service run by Laura and Steve Atkins (also home of the Abacus abuse desk ticketing system). WTTW even has a Labs site with bits of code you can download, if you'd like to get your hands a bit dirty.