DKIM key rotation for enhanced security

[jeffschips]

Hello and I hope everyone is doing well.

I was reading up on dkim key rotation as a security measure, which recoomends occasional dkim rotation to prevent hacking of emails, etc. That link for this is here:

Importance of Automated DKIM Key Rotation - dmarcian

In this article we talk about DKIM key rotation, ways of executing it, and benefits of automating the process.

dmarcian.com

Can anyone suggest what is the best way to do this with cpanel? I don't think deleting the keys then restarting the mail server will succeed.
Thank you.

 

[cPRex]

Hey there! We had an older feature request for this year, but it did not get much action:

Rotate DKIM keys every month or so

As a cPanel / WHM customer and an administrator of a VPS, I would like cPanel to consider rotating DKIM keys on a regular basis. DKIM keys are a little bi

features.cpanel.net

You could always delete the key from the DNS zone, and recreate it in cPanel >> Email Deliverability.

 

[jeffschips]

That's sounds like a sound solution. It's easy to delete the key from the DNS zone. So are you saying doing so will then automatically create and one via runing cPanel >> Deliverablity?

 

[cPRex]

Yes - if you delete the key manually from the DNS zone, the cPanel >> Email Deliverability page will notice that is missing and give you the chance to recreate it.

 

[jeffschips]

Before I do so I see there are two boxes, not the usual one, for filling in the keys. Why two boxes? See attached image.

 

[cPRex]

The line is long and exceeds the normal character limit, so it gets broken up into two boxes.

You could always take a backup of the whole zone file over SSH if you think you may need to restore it as it originally was.

 

[jeffschips]

Thank you! Where would those files be located. I can copy them that's a good idea!

 

[jeffschips]

SOLVED: found in
Zone file: /var/named/domain.com.db

DNS conf: /etc/named.conf

 

[cPRex]

Yep - you'd want the data from /var/named/domain.com.db to take a backup.

 

[jeffschips]

Well that's interesting. I regenerated the dkim data but it was the same key, if the strings matching exactly mean that. . .

That was after deleting the key

 

[cPRex]

That is interesting - that would indicate we generate the same key for each domain on the system, so there may not actually be a good way to "rotate" keys using the cPanel interface.

 

[jeffschips]

Email headers show the associated sender is host.domain.com, not domain1.com. And in fact, all email sent from this server whether domain1.com or domain2.com or domain3.com use host.domain.com for sending.

So is it the same process rebuilding the dkim keys for host.domain.com?

Perhaps I should regenerate the key for host.domain.com? If that works then it follows how would such a change cascade down to the other domains?

In fact that would be good - one fell swoop changing host.domain.com and all the other keys change would would actually be a good thing. No?

 

[alankru]

I have created 2 cPanel accounts and when I go into the Email Deliverability interface -> manage there is a little link to "view the private key". I can clearly see that the private keys for DKIM are different between the 2 cPanel accounts. I've also tested with 2 different domains in 1 cPanel account and the DKIM private keys are still different. So cPanel uses different DKIM keys per domain, which is inherently more secure than one DKIM key for all domains.

I can confirm that simply deleting the DNS record does not cause cPanel to generate a new private DKIM key, it simply prompts cPanel to re-input the DNS record (which is the public key part). To rotate the private DKIM key, you would presumably need to find out where it is stored on the system for that particular domain (I don't have that answer) and presumably delete it, along with the DNS record.

 

[jeffschips]

Make sense. From building systems on other non-cpanel platform I can concur with your finding. The private keys will be stored in some other directory. Most likely /var/cpanel/domain_keys.
I'm guessing I can delete them and cpanel will auto regenerate when creating new dkim records. . . Or not. . . who knows?

 

[microvax]

Much similar to the feaure used to automate SSL certificates renewal with Let's Encrypt

That's sounds like a sound solution. It's easy to delete the key from the DNS zone. So are you saying doing so will then automatically create and one via runing cPanel >> Deliverablity?

 

[cPRex]

I built a test server and removed the domain's entries from /var/cpanel/domain_keys, but they were still generated with the exact same key when I recreated them, so it appears this is server and domain dependent.

I've reached out to our email team to see if I can get more details on this and I'll let you know as soon as I have them.

 

[cPRex]

Alright, I confirmed the following process will generate a new and unique key. Can you try this on your side?

mkdir /root/private_key_temp
mkdir /root/public_key_temp
mv /var/cpanel/domain_keys/private/yourdomain.com /root/private_key_temp/
mv /var/cpanel/domain_keys/public/yourdomain.com /root/public_key_temp/

-go back to cPanel >> Email Deliverability, click on Manage, and then Generate Local DKIM Key

I confirmed that created a new key for the domain. It's important to note that portions of the key will still look similar to the previous key, such as the beginning and the end, as that is where the domain and key info is stored, but the middle sections will be unique.

 

[jeffschips]

Thank you! I will try it and report back.