Publication Date – September 11, 2023
| Message | Description | Remediation Instructions | Finding Grade |
|---|---|---|---|
| Public key size is less than 2048 bits | Keys shorter than 2048 bits may be insecure. | Use OpenSSL or SSL implementation of your choice to generate a new keypair, and specify 2048 bits or greater of key strength at generation. Implement the stronger keypair into your DKIM configuration. | WARN |
| Malformed public key | There is a problem with the public key that may render it ineffective. The key may not have been produced or configured properly. | Check that your keys are properly stored and the DKIM record has the correct key. You may need to generate a new public key. | BAD |
| Public key size is smaller than 1024 bits | Keys shorter than 1024 bits can be broken with consumer devices. A key length of 2048 bits is recommended. | Use a TLS implementation of your choice to generate a new RSA key pair and specify bit strength that is larger than 1024 bits. Implement the stronger key pair into your DKIM configuration. To avoid a WARN grade on your new key, specify at least 2048 bits. | BAD |
| This DKIM record contains a malformed flag value | Your record uses unrecognized flags that may make it ineffective. | If it's used, double check that your “t=” statement only has “y” or “s” for values, as allowed in RFC-4871, DomainKeys. | BAD |
| This DKIM Record is intended for testing purposes | This key is for testing purposes only and should be treated the same way as an unsigned email. | Remove the “t=y” tag from your record to receive full evaluation of your DKIM configuration. | NEUTRAL |
| This DKIM record contains an empty public key | This typically indicates the key has been revoked. | NEUTRAL |