In discussions with the security teams of many of our enterprise customers, Retarus’ experts often encounter a commonly overlooked risk. The issue is that some email security solutions activate the DKIM “l=” tag (length tag) by default. While this option indeed made sense in the past, it now poses significant security risks.
What is the DKIM “l=” tag? And what was it originally conceived to do?
DKIM (DomainKeys Identified Mail) is a proven method for ensuring that emails are not surreptitiously tampered with while in transit. The recipient uses a public key to verify that the content and certain headers have not been altered.
The “l=” tag specifies up to which byte of the message text the signature extends. The rest of the email is left unsecured. Originally, this option was useful for scenarios involving mailing lists or forwarding, in which the message body is altered (e.g., by attaching footers), as it enables the core email text to still be recognized as valid.
Why does the “l=” tag pose a security risk?
At the same time, this mechanism exposes a substantial attack surface, for instance through phishing links or unwanted content, without the DKIM check being triggered. Since the signature remains formally valid, DMARC checks also become less effective. What’s more, it opens up the opportunity for attacks to be carried out by means of forwarding, which has led some large email providers to respond with warnings or rejections.
What makes this particularly dangerous is that some security solutions activate the “l=” tag by default without users even being aware of it. All the while, our customers had assumed that their emails were fully signed and secure. This is not just a theoretical problem. Audits conducted by our experts show that DKIM signatures using the “l=” tag are still in use in some organizations, potentially exposing their emails to manipulation without any impact on DKIM verification.
Recommendations for inbound emails
Recipients are well advised to carefully examine emails with “l=” tags. One option would be for companies to initially quarantine these messages by default using their own email security solutions, or alternatively they could ignore the DKIM signature so that the email remains subject to other security mechanisms such as SPF or DMARC.
Recommendations for outbound emails
Senders should avoid using the “l=” tag and instead digitally sign the entire message content. Security can additionally be bolstered through periodically rotating DKIM keys, using distinct selectors for different mail streams and, where applicable, setting expiration dates for signatures.
