HackerTrans
TopNewTrendsCommentsPastAskShowJobs

awulf

no profile record

Submissions

RFC 9989: What's New in the Latest DMARC Specification

dmarcchecker.app
4 points·by awulf·2 tháng trước·0 comments

DNSSEC and Why It Matters for Email Security

dmarcchecker.app
2 points·by awulf·năm ngoái·0 comments

Cracking a 512-bit DKIM key for less than $8 in the cloud

dmarcchecker.app
799 points·by awulf·2 năm trước·408 comments

comments

awulf
·năm ngoái·discuss
I built a free DMARC/DKIM/SPF checker: https://dmarcchecker.app/. No usage limits, no ads—just a small footer link to one of my other projects. Made it for the exact reason you mentioned.
awulf
·2 năm trước·discuss
An easy way is to check the length of the p= value in the DKIM record. If it's around 216 characters, it's likely a 1024-bit key. A 2048-bit key usually has about 388 characters.
awulf
·2 năm trước·discuss
The DKIM verification failed with the result "dkim=policy (weak key)," as it should according to RFC 8301: "Verifiers MUST NOT consider signatures using RSA keys of less than 1024 bits as valid signatures."
awulf
·2 năm trước·discuss
I guess most of these keys are decades old and no longer in use. They're likely just sitting in the DNS because someone forgot to delete them. Now, no one's sure if they're still needed and is afraid to remove them in case it breaks something. Or maybe they're still used by a legacy system, and no one realizes the impact an old DKIM record could have.
awulf
·2 năm trước·discuss
I published the article today, though it was written a few months ago (when the DKIM record was still online).
awulf
·2 năm trước·discuss
I agree, but to be precise, it was 1,726 out of 476,617 DKIM keys found across those 1M domains, or about 0.36%. Since it's impossible to determine all DKIM records a domain might have from the outside, I used a list of commonly used selectors (e.g., "default' or 'key1") for the search. It's likely there are additional short keys under selectors I didn't check.