3

I've followed instructions to set up spf and DKIM on my mailing server. SPF is working fine so far, however I am having problem with DKIM. In every single instruction website, they show the output after generating the key would be a single key. However, it generates 2 keys for me - not exactly 2, I would say one and a half(!). Here is the output on mail.txt -

mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+aTMFobW7/VoT+36RJZOQ0cLtr4PxsWT0DHhRreE6a2IuXIOktviQkkXtLb2NXn5gjAZfPscss11Vr+kLFWM2OWF+B1qFpBB8J9zg6L8vjdkzIt5mt1oPOkFg7CcCEhU8dnbRpps00xsu4aVNuda7yr0+4sCwcTsObuESSQ3hYFWl33+OVTqiYAPqykX/mADvLYVxQF9UUJlO" "M+Vx8siFcENppNrqrbkSkhPfaNWYSqoXT9ZvFzHYOzcLqfx5HeJn3E7tAP6VDKKpoQjvUifQDp+oE0x9BgFdP63e7mxIZH1e78c4p8NTnZ8RAO4DQOFgCSn61Anm4OHspYJNpA0wIDAQAB" ) ; ----- DKIM key mail for mydomainname.com

I've copied the first part to my dns -

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+aTMFobW7/VoT+36RJZOQ0cLtr4PxsWT0DHhRreE6a2IuXIOktviQkkXtLb2NXn5gjAZfPscss11Vr+kLFWM2OWF+B1qFpBB8J9zg6L8vjdkzIt5mt1oPOkFg7CcCEhU8dnbRpps00xsu4aVNuda7yr0+4sCwcTsObuESSQ3hYFWl33+OVTqiYAPqykX/mADvLYVxQF9UUJlO

which seems not to be working. Gmail shows(gmail received an email sent from this server, sent to spam)

dkim=neutral (invalid public key) header.i=@mydomain.com header.s=mail header.b=chWKWyaM;

How do I deal with this 2 (one and a half) output and add it to DNS? I tried merging them - same result. Tried regenerating, get 2 everytime.

Thanks in advance

b0xed
  • 33
  • 5

1 Answers1

4

You've built a 2048 bit key which won't fit in a standard TXT record. Have the DNS concatenate the two strings for you by entering them as follows:
TXT ( "first part" "second part" )
or
TXT "first part" \ "second part"

If your DNS provider doesn't support long keys (a problem I encountered about a year ago with one provider), you can create a shorter key by adding the parameter -b 1024 to your opendkim-genkey command.

Do not create shorter keys than 1024 bits.

Mikael H
  • 5,031
  • 2
  • 9
  • 18
  • Tried this - "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+aTMFobW7/VoT+36RJZOQ0cLtr4PxsWT0DHhRreE6a2IuXIOktviQkkXtLb2NXn5gjAZfPscss11Vr+kLFWM2OWF+B1qFpBB8J9zg6L8vjdkzIt5mt1oPOkFg7CcCEhU8dnbRpps00xsu4aVNuda7yr0+4sCwcTsObuESSQ3hYFWl33+OVTqiYAPqykX/mADvLYVxQF9UUJlO" "M+Vx8siFcENppNrqrbkSkhPfaNWYSqoXT9ZvFzHYOzcLqfx5HeJn3E7tAP6VDKKpoQjvUifQDp+oE0x9BgFdP63e7mxIZH1e78c4p8NTnZ8RAO4DQOFgCSn61Anm4OHspYJNpA0wIDAQAB" Still doesn't work – b0xed Aug 08 '19 at 06:34
  • how can I delete a dkim key? – b0xed Aug 08 '19 at 06:36
  • generating 1024 seems to work! – b0xed Aug 08 '19 at 06:42
  • 1
    When attempting to add records in a web interface (as opposed to a "real" zonefile), I suspect line breaks may be a bad thing. Also, if you're not surrounding the strings with parenthesis, you'll need to put a backslash between each string. – Mikael H Aug 08 '19 at 06:46
  • 1
    Deleting a DKIM key is simply a matter of telling Postfix/OpenDKIM not to use that particular key for signing mail for the domain in question, and of removing the corresponding TXT record from your DNS. – Mikael H Aug 08 '19 at 06:48
  • Thank you @mikael-h . Two years later, this still helps. – b0xed Aug 06 '21 at 13:34