I reported an insecure DKIM key to Deutsche Telekom / T-Systems.

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 17:42:04 GMT

crispycat@mastodon.calitabby.net — Thu, 16 Apr 2026 17:42:04 GMT

@badkeys i didn't know anything below rsa-1024 even existed!

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 17:41:20 GMT

bebef@mastodon.social — Thu, 16 Apr 2026 17:41:20 GMT

@stellated @kkarhan @momo @badkeys Bit more discussion in German to be found here: https://borncity.com/blog/2025/02/25/merkwuerdige-vorschriften-bei-der-telekom-fuer-e-mail-versand/

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 17:38:14 GMT

bebef@mastodon.social — Thu, 16 Apr 2026 17:38:14 GMT

@stellated @kkarhan @momo @badkeys It works like this: send an email to a Telekom recipient. Mail bounces with

: host mx03.t-online.de[194.25.134.73] refused to talk to

me: 554 IP=1.2.3.4 - None/bad reputation. Ask your postmaster for help

or to contact tobr@rx.t-online.de for reset. (NOWL)

Send an email to tobr@rx.t-online.de, hilarity ensues.

(They send a reply pointing you to https://postmaster.t-online.de/#t4.1)

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 17:24:02 GMT

stellated@mastodon.sdf.org — Thu, 16 Apr 2026 17:24:02 GMT

@Bebef @kkarhan @momo @badkeys
Do y'all have any docs on this you could link? Is it a blanket automated check a la DKIM and SPF or is it something that's reviewed when appealing an anti-spam listing? My search queries aren't turning up much.

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 14:45:01 GMT

momo@social.linux.pizza — Thu, 16 Apr 2026 14:45:01 GMT

@j_r
War bei mir ähnlich. Wer seinen Mailkram dann bei der Telekom hatte, hatte halt Pech. Zwischendrin hatte ich deren ASN im Spamfilter geblockt, weil ja, dann halt auch in beide Richtungen. Dann schlug aber der WAF Alarm und da blieb mir keine Wahl mehr... ich hab aber dann wohl beim Support-Lotto das falsche Ticket, gezogen.

(WAF= Wife Acceptance Factor)
@bekopharm

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 14:38:24 GMT

j_r@social.jugendhacker.de — Thu, 16 Apr 2026 14:38:24 GMT

@momo @bekopharm das dreisteste ist es hängt scheinbar stark davon ab welchen Support Mitarbeiter man erreicht. Hab Jahre lang damit gelebt einfach keine E-Mails an t-online senden zu können. Wurde irgendwann dann aber doch zu nervig und ich habe sie nochmal kontaktiert. Dann haben sie ohne große Nachfrage einfach meine IP freigeschaltet

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 14:10:35 GMT

yama@tech.lgbt — Thu, 16 Apr 2026 14:10:35 GMT

@varx @badkeys Im not arguing with internet strangers. Go dive off a bridge mate

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 14:06:58 GMT

varx@infosec.exchange — Thu, 16 Apr 2026 14:06:58 GMT

@yama @badkeys Out of curiosity, what year are you posting from?

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 12:22:45 GMT

trpalesz@mastodon.social — Thu, 16 Apr 2026 12:22:45 GMT

@16af93 @q @badkeys iirc BSA recommends at least 3000bits

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 12:09:44 GMT

wpalant@infosec.exchange — Thu, 16 Apr 2026 12:09:44 GMT

@badkeys Way to go Telekom! Last time I found a 320 bit RSA key it was “protecting” people’s private information (https://palant.info/2023/01/25/ipinside-koreas-mandatory-spyware/#how-is-this-data-protected) and I even had a little difficulty finding a cryptography library that wouldn’t refuse working with a key so short.

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 11:13:53 GMT

woffs@fe.disroot.org — Thu, 16 Apr 2026 11:13:53 GMT

@badkeys hot take: dkim does not matter anyway

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 10:54:22 GMT

x0r@mamot.fr — Thu, 16 Apr 2026 10:54:22 GMT

@badkeys Modern DKIM implementations should not accept signatures made with RSA keys smaller than 1024 bits, nowadays, so it seems unlikely to me that you could do anything nefarious with a key this weak. The verifier would be equally faulty if it accepts weak keys.

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 10:17:48 GMT

diziet@mastodon.me.uk — Thu, 16 Apr 2026 10:17:48 GMT

@badrihippo @badkeys Yes.

Everyone should be doing the same (rotating DKIM keys and publishing the old private keys). Here's my blog post on the subject:

https://diziet.dreamwidth.org/16025.html

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 08:54:22 GMT

yama@tech.lgbt — Thu, 16 Apr 2026 08:54:22 GMT

@badkeys RSA ?
You can literally get an API key for your python script to access a literal quantum computer. And someone already made shors alg. implementation exclusively for RSA cracking

If it were over 4096 bits its still Not Secure and crackable within seconds.
Literally Any modern post quantum algorirthm is orders of magnitude better...

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 08:52:02 GMT

yama@tech.lgbt — Thu, 16 Apr 2026 08:52:02 GMT

@lunareclipse @badkeys "bad companies", so most of them by nature ?

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:56:36 GMT

m_berberich@chaos.social — Thu, 16 Apr 2026 07:56:36 GMT

@oscherler @tanja

Or they did not understand the problem?

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:55:08 GMT

momo@social.linux.pizza — Thu, 16 Apr 2026 07:55:08 GMT

@bekopharm
Ich konnte sie auf ein Kontaktformular runterhandeln, musste aber versichern, dass der Transport dann nicht per eMail erfolgt. Ich habe ne ntfy-Instanz auf einem meiner Server laufen, das Webformular generiert jetzt eine Notification auf mein Smartphone.

Eigentlich wollte ich den Zugriff per Firewall auf die Admin-Netzwerke der Telekom zumachen, aber das war für sie absolut inakzeptabel.

Aber bei jeder Gelegenheit seine eigenen Kunden in Geiselhaft nehmen und rumprotzen, dass sie der größte Provider Deutschlands sind und damit eigene Regeln festlegen können, an die sich jeder zu halten hat.

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:40:31 GMT

linear@nya.social — Thu, 16 Apr 2026 07:40:31 GMT

@badkeys@infosec.exchange the yafu help describes using siqs for this, which would take that server 2 to 3 hours, but using nfs it took only minutes

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:40:00 GMT

linear@nya.social — Thu, 16 Apr 2026 07:40:00 GMT

@badkeys@infosec.exchange just a few days ago i broke an rsa384 key using yafu on my home server (a ~6 year old dell poweredge, fairly decent spec) as a practice run for something, and it took under 5 minutes

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:38:05 GMT

badrihippo@fosstodon.org — Thu, 16 Apr 2026 07:38:05 GMT

@Diziet never even thought this could be a thing!

So you're basically making it impossible to prove through DKIM signatures that a given email was actually sent from your server?

@badkeys

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:37:55 GMT

janet_catcus@hachyderm.io — Thu, 16 Apr 2026 07:37:55 GMT

@buherator @badkeys @mcr314 probably done by an apprentice anyway

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:29:39 GMT

kramse@helvede.net — Thu, 16 Apr 2026 07:29:39 GMT

@selea @badkeys

no, sounds like they stayed for tooo long on a short length that could be cracked quickly.

they should upgrade to more bits, and re-roll their keys

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:27:25 GMT

bekopharm@indieweb.social — Thu, 16 Apr 2026 07:27:25 GMT

@momo Hab mich damit auch schon herum geärgert und mit einem "Musterbrief" frei gekauft: https://beko.famkos.net/2023/06/02/%c2%b7t%c2%b7%c2%b7%c2%b7error/

Die haben doch echt nicht mehr alle Latten am Zaun o0

Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:09:19 GMT

artlog@agora.l0g.eu — Thu, 16 Apr 2026 07:09:19 GMT

@badkeys

I don't remember have ever seen lower RSA keys size than 512 bits... We have a winner here !