1

I'm setting up a new email server and decided to up my DKIM to 2048-bit, which by studies is now the common value. Running opendkim-genkey, the output seems different than the old 1024-bit version.

mydomain.com._domainkey       IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwvUrzLbX7ZoAmAwNN7D2vGl+u4WRaiG
OPjTXvOtTWiVcMhJ0ed8oG4Xmwc7tTtVVLK85cHYXenYjICTBfvj6RuHikgKo5z1LNhebb8Sgf1oR69wQId7+jo+
Ooh9jCNHu20F9pndcuVdeoHMQ19kCgm7O9KK/TbxRrf2LAQNHtr/8w2mzVqEQi6fqsW6OIF13v6c1eZ7hMKMOYl"
          "gnC0C0Cumf/+vzpPggz1JDIQG9kbXJih4+ua4IM5BAZKC8W3uUWNQN2E30l2B3GNInraXeh4rDJ8n
RSuEliVy5+y/dGeUwdwKEAPy3wXH11ZPXA30HKOesXPQxpNAWGckg8I57AUXAUX86gtLW+5EdAlD/eulgAwRP/iN
B4I9bPtyoLUL8+SLR6bpaJZIBVyXs5JddSFfUHxl/d7Q5vJdDUqe5voU9If+wavW4MdySsKVk680fmQYaX529"
          "LT15lYR5FRz9Rg5JHqefrK1Wnpxp8ZxR3vgISrytlSDyAuGFPWfILjS8G5QGTh2BHuib9OHsiIa7s
31FO+ROk9ZhO3+2xTA81bFb8s3bGLb/NP3NOzfTKvVN9MwnmBfy40QkXefDw2So3xnrmlJNoURja5lUAMm08pEaq
GniwWIyfDuEoPwr+aadk4rrQNUejiQ3KDUtIdqV9Tos3Z6iBpzLp66mpkYxJ9ECAwEAAQ==" )  ; 
----- DKIM key mydomain.com for mydomain.com

You can see the "p=" is followed by three strings. When this was done for 1024, there was only one string. Is this correct to upload to DNS, or do I merge the strings?

Paul
  • 3,037
  • 6
  • 27
  • 40
gariac
  • 46
  • 1
  • 8

1 Answers1

2

The output is fine if you plan to use it directly in Bind or something that has a compatible format for the zone configuration files.

The brackets make sure Bind interprets all the lines as one record, and it will just concatenate the strings. It outputs like this because the 2048 bit key is fairly long and the opendkim-genkey author must think it's nicer to spread it over a couple of lines rather than have one very long line. (A lot of software developers actually have maximum line length rules for source code - this isn't 'source code' of course but still some people develop an ingrained distaste for long lines)

If you're using an online DNS service, you may find you have to enter it all as one line, in which case yes, just merge the whole thing together (removing the double quotes and brackets).

Additional completely personal preference note - I'm not a fan of the selector "mydomain.com". You'll end up with a DNS entry for mydomain.com._domainkey.mydomain.com. The common one I see is 201706._domainkey.mydomain.com, which shows the year/month the key was generated and allows you to replace the key in future with a new one, whilst keeping the old record in place during the change over. (e.g. In 6 months create a 201712 keypair and start using that, then when you're sure no email signed by the old key is floating about in queues somewhere, delete the 201706 dns entries).

USD Matt
  • 5,381
  • 15
  • 23
  • I have to use a token scheme to upload to the VPS DNS. It won't allow a paste longer than 512 chars. I like your idea on the selector. To be honest, reading online guides on DKIM leave you with a WTF is the intent of this field. Making it just work is one thing, but making it useful is something else. This is a new server (replacement for existing) that I am trying to make an improved version since the old one was the first time I ever set one up. Replacing keys routinely is on my list. I set up a letsencrypt instead of the 10 year lifetime key I'm using now for TLS. – gariac Jun 27 '17 at 20:51