In discussions with the security teams of many of our enterprise customers, Retarus\u2019 experts often encounter a commonly overlooked risk. The issue is that some email security solutions activate the DKIM \u201cl=\u201d tag (length tag) by default. While this option indeed made sense in the past, it now poses significant security risks.<\/p>\n\n\n\n
DKIM (DomainKeys Identified Mail) is a proven method for ensuring that emails are not surreptitiously tampered with while in transit. The recipient uses a public key to verify that the content and certain headers have not been altered.<\/p>\n\n\n\n
The \u201cl=\u201d tag specifies up to which byte of the message text the signature extends. The rest of the email is left unsecured. Originally, this option was useful for scenarios involving mailing lists or forwarding, in which the message body is altered (e.g., by attaching footers), as it enables the core email text \u00a0to still be recognized as valid.<\/p>\n\n\n\n
At the same time, this mechanism exposes a substantial attack surface, for instance through phishing links or unwanted content, without the DKIM check being triggered. Since the signature remains formally valid, DMARC checks also become less effective. What\u2019s more, it opens up the opportunity for attacks to be carried out by means of forwarding, which has led some large email providers to respond with warnings or rejections.<\/p>\n\n\n\n
What makes this particularly dangerous is that some security solutions activate the \u201cl=\u201d tag by default without users even being aware of it. All the while, our customers had assumed that their emails were fully signed and secure. This is not just a theoretical problem. Audits conducted by our experts show that DKIM signatures using the \u201cl=\u201d tag are still in use in some organizations, potentially exposing their emails to manipulation without any impact on DKIM verification.<\/p>\n\n\n\n
Recipients are well advised to carefully examine emails with \u201cl=\u201d tags. One option would be for companies to initially quarantine these messages by default using their own email security solutions, or alternatively they could ignore the DKIM signature so that the email remains subject to other security mechanisms such as SPF or DMARC.<\/p>\n\n\n\n
Senders should avoid using the \u201cl=\u201d tag and instead digitally sign the entire message content. Security can additionally be bolstered through periodically rotating DKIM keys, using distinct selectors for different mail streams and, where applicable, setting expiration dates for signatures.<\/p>\n","protected":false},"excerpt":{"rendered":"
In discussions with the security teams of many of our enterprise customers, Retarus\u2019 experts often encounter a commonly overlooked risk. The issue is that some email security solutions activate the DKIM “l=” tag (length tag) by default. While this option indeed made sense in the past, it now poses significant security risks.<\/p>\n","protected":false},"author":12,"featured_media":11533,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_s2mail":"yes","footnotes":""},"categories":[8],"tags":[102],"class_list":["post-11532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-email-security"],"acf":[],"yoast_head":"\n