DomainKeys Identified Mail (DKIM) is the most effective, widely deployed email forgery countermeasure available today... if implemented correctly. Many of the world’s largest and most trusted companies, including some of those driving the standard, have fatally flawed deployments. When the first standard for SMTP was published in 1982, the Internet was a much smaller and safer place. Ever since the first spammers, we’ve been trying to fix email with various hacks such as callout verification, forward confirmed reverse DNS, PGP, S/MIME, SPF, Sender ID, DomainKeys, DKIM, and an ever-changing collection of filters. All of them have serious flaws. This talk will cover several common mistakes made when deploying DKIM and how they can be exploited to achieve the holy grail of email forgery.