DKIM Key Insecure

The DKIM Key output by CreateSend is 768 strength when it should be a strength of 1024 or higher. This is causing us to have a significant number of our emails labeled as spam or completely blocked by some email servers. Being we pay per sent email, this is obviously a bit of a problem as we are paying for our emails to go to people's spam.

Phil Phil, 3 years ago

Hi dvmelite,

Thanks for raising this issue. We are in the process of working to update key lengths in general, so watch this space for further information in the new year. Our understanding at this stage is that no ISPs are yet treating 768-bit keys as unreliable. Although we are aware that Gmail for example has started ignoring 512-bit keys, which we don't use.

If you have any information or evidence that 768-bit keys are being ignored or adversely affecting delivery, we would love to see it. Please send us a direct support request if you'd prefer to keep it private.

Phil

dvmelite, 3 years ago

I unfortunately did not save the rejected emails that were returned due to the weak keys we were using through google apps. Every email sent to Centrylink.net, Comcast.net, Rodgers.com and more ISP's that I don't remember at the moment, were rejecting our email which is run through google apps and had a 768-bit key that we generated through the dashboard. This took place Dec 1st - Dec 18 and during this time I tried multiple 768-bit keys all with no success and ultimately disabled the authentication to be able to send email again. It seems since google has started generating 1024-bit keys for google apps we have had no further issues.

roshodgekiss roshodgekiss, 3 years ago

Thanks dvmelite, that's really something - sorry about the late reply here. As Phil mentioned, by all means get in touch with us if you would like us to take a look at affected campaigns and we'll do our best to work out what happened here.


Get in touch with us on Twitter: http://twitter.com/campaignmonitor
We're also on Facebook: http://facebook.com/campaignmonitor
eli, 3 years ago

Any update on this? It supposedly doesn't impact inbox delivery, but GMail does indeed require a 1024 bit key if you don't want "via cmail2.com" or similar on your messages: http://blog.postmarkapp.com/post/51224968159/upgrading-and-rotating-dkim-keys

roshodgekiss roshodgekiss, 3 years ago

Hi there eli, to obtain a 1024 bit key and avoid the 'via' message, you'll need to reset your key. To do this, you need to go to authentication settings, delete the domain, and start over again to get a new, longer key and use this to update your DNS settings.

At a later date, we're hoping to automate this process somewhat - but this should work in the interim. Let us know if you have any questions, or run into any issues with this :)


Get in touch with us on Twitter: http://twitter.com/campaignmonitor
We're also on Facebook: http://facebook.com/campaignmonitor

Join 200,000 companies around the world that use Campaign Monitor to run email marketing campaigns that deliver results for their business.

Get started for free
1-888-533-8098