In our study on the SPF, DKIM, and DMARC records of the top 1M websites, we were surprised to uncover more than 1,700 public DKIM keys that were shorter than 1,024 bits in length. This finding was unexpected, as RSA keys shorter than 1,024 bits are considered insecure, and their use in DKIM has been deprecated since the introduction of RFC 8301 in 2018. Driven by curiosity, we decided to explore whether we could crack one of these keys. Our goal was to extract the private key from a public RSA key, enabling us to sign emails as if we were the original sender. We were also curious to see whether emails signed with this compromised key would pass the DKIM verification checks of major email providers like Gmail, Outlook.com, and Yahoo Mail, or if they would outright refuse to verify a signature generated with such a short key.

Three decades ago, breaking a 512-bit RSA public key was a feat achievable only with a supercomputer. Today, it’s possible to do so in just a few hours for less than US$8 on a cloud server. And if you have a powerful computer at home with 16 or more cores, you could accomplish this even more swiftly and cost-effectively. There’s no good reason to use 512 or 768-bit keys these days. Email providers should automatically reject any DKIM signature generated with an RSA key shorter than 1,024 bits. We’ve alerted Yahoo, Mailfence, and Tuta about our findings and shared this advice with them. Domain owners must also take action by reviewing their DNS settings for any outdated DKIM records that don’t comply with the 1,024-bit minimum standard. A simple way to check a DKIM record’s p tag is to count its Base64 characters: a 1,024-bit RSA public key will have at least 216 characters.