DKIM key rotation with rspamd

PUBLISHED ON 12/03/2019 — SYSOP

Intro

As with your house keys, DKIM keys should be carefully protected. In contrast to house keys, you can’t really know you have lost DKIM keys for your server and need to replace them. Best practices state that it is best to rotate the keys at least every three months.

Picking a new selector

Pick a new selector, one that you have never used before, or one you have not used in previous rotation. I rotate DKIM monthly, so I will pick the current year and month: 201903.

Generate a new key pair

rspamadm dkim_keygen -b 2048 -s 201903 -k /var/lib/rspamd/dkim/201903.key > /var/lib/rspamd/dkim/201903.txt

This will create two files. 201903.key that contains the private key and 201903.txt that contains the DNS entry you should put into your zone.

2048 bits is the recommended length of the key, if your DNS supports entries of this size. Otherwise lower it to minimum 1024 bit, anything less is considered unsafe. No really, in 2015 you could crack a 512-bit RSA key for mere $75 and 4 hours (source), so forget about that. On the other hand, take for example 2048-bit key and see how that goes here.

Add the key to DNS zone record

Prepare the TXT record to add to DNS:

cat /var/lib/rspamd/dkim/201903.txt | tr '\t' '\"' | tr '\n' '\"' | sed 's/\"//g'

Add the record to your DNS zone:

201903._domainkey.domain.org IN TXT v=DKIM1; k=rsa; p=...

Check that the new DNS record is visible and propagated:

dig @your-name-server 201903._domainkey.domain.org

If you are reusing a selector, wait 24h for proper DNS propagation. Avoid using web-based lookup tools to avoid negative caching.

When you confirm the propagation, you may continue.

Configure rspamd to use new selector

Change the selector used for signing to the newly created one (with -s ):

vim /etc/rspamd/local.d/dkim_signing.conf

Copy the file as ARC module uses the same config, or edit the file by hand and set up the selector:

cp -R /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

Reload configuration

Reload the rspamd service:

service rspamd reload

Test

Test the new keys using Mail-tester.com.

Cleanup

After 24h delete the old key/record from yout DNS zone.

As SMTP standard says that mail servers can take a week before timing out, a more conservative approach would be to delete the old record after 7 days.