0

My organization is working with a vendor that needs to send emails on our behalf. They want us to import a PFX certificate into a DKIM key. We want to understand the implications first.

What precautions can/should we take?

I presume that if some attacker got hold of the key, they might be able to use it to impersonate our email messages. But is there anything else they can do with it?

Can the original cert be extracted and reused in other ways (e.g. converted to a web server or app signer cert)?

Improve this question

1 Answer 1

Reset to default
1

DKIM does not work with certificates, it works with plain RSA keys. The private key is used for signing and the public key for validating the signature. To make this possible the public key must be accessible using DNS, i.e. it is stored in a specific DNS TXT record.

While you could in theory use the key pair associated with an existing certificate there is no need to do this and it is probably much better to create a new key pair so that the key for an existing certificate does not get compromised at all. Since only the plain public key is stored in DNS there is also no need to create a certificate with this key and let a CA sign it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .