3
2048 bit domain keys?
Question asked by Mr Unique - February 8, 2016 at 2:27 PM
Answered
We are long time SmarterMail users, having upgraded all the way from v4.0 to v14.5.
Over the years we have implemented most of the new 'deliverability" features as they've come out, e.g. SPF, Domain Keys and DKIM signing.
 
Over the past year or so, we have noticed a decline in our deliverability, and our investigation seems to indicate that the problem is that 1024 bit domain keys are no longer widely accepted, and we now need to upgrade to 2048 bit keys.
 
The issue is, there is no 2048 bit option in Smartermail 14.5 - we see only 512, 768, and 1024 options.
 
How are you guys generating 2048 bit domain keys for Smartermail?

4 Replies

Reply to Thread
1
Matt Petty Replied
February 8, 2016 at 2:36 PM
Employee Post
We are removing Domain Keys in SmarterMail 15 since they are obsolete now. Setting your DKIM to 2048 by double clicking on DKIM in Anti-Spam Settings would be the way to go.
 
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Paul Blank Replied
February 13, 2016 at 7:41 AM
I am using a 3rd party (symantec.cloud) for email filtering on one SM server. Can/should I still implement DKIM through SM, even though I'm not using SM Antispam?
1
Bruce Barnes Replied
February 13, 2016 at 8:48 AM
You must create the DKIM certificate through SmarterMail because SmarterMail generates both the public and private keys.
 
The public key is what will go into the DNS - there are a total of THREE DIFFERENT KEYS:
secure._domainkey.yourdomain.com which will contain your 2048 bit public key PREPENDED with "k=rsa;" (no quotes, unless required by your DNS editor.
 
So, if your CERTIFICATE is:
 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLR36I6CbuKoQggeawkrXvuspnlfFaojxVYtgUWB5m5vJN4lvFJwQxKinxHIzNwIQfnsNY5SM4auPrKdhbI66UyzXGrgUJeZ5/LRA+41tTUK7IIEP7TqxQNo7sNBRzAPuGvitF8qXJIMklM70ROut6vqpiX6999E+5OOQBUetzj+J7mLa4Un7fbHCpx5g+BwPqxV4pfeJidVCfJX3IgneEZac+V+hUbw38q/b8pEW/uZ6u3eDDXCKWSdJ2NFPrEFPDQoezL8rtyudg+p/jwmbK9V2bjlq/AuQffJyv3FQpdAyb5HwkdY9FeEinveVez5rmFOyZ10I1xdLMqZrm618QIDAQAB
 
Using the certificate name "secure" - determined when the certificate is generated in SmarterMail, here is the first DNS record entry.  These are TXT RECORDS,
 
secure._domainkey.yourdomain.com TXT RECORD

k=rsa is PREPENDED to the certificate to indicate the kind of encryption being used
the 2,048 bit DKIM certificate is indicated in dark green
k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLR36I6CbuKoQggeawkrXvuspnlfFaojxVYtgUWB5m5vJN4lvFJwQxKinxHIzNwIQfnsNY5SM4auPrKdhbI66UyzXGrgUJeZ5/LRA+41tTUK7IIEP7TqxQNo7sNBRzAPuGvitF8qXJIMklM70ROut6vqpiX6999E+5OOQBUetzj+J7mLa4Un7fbHCpx5g+BwPqxV4pfeJidVCfJX3IgneEZac+V+hUbw38q/b8pEW/uZ6u3eDDXCKWSdJ2NFPrEFPDQoezL8rtyudg+p/jwmbK9V2bjlq/AuQffJyv3FQpdAyb5HwkdY9FeEinveVez5rmFOyZ10I1xdLMqZrm618QIDAQAB
here is the second DNS ENTRY: These are TXT records:
 
_domainkey.yourdomain.com
 
this declares that all outgoing mail is signed
o=~
The manner in which you input them are very specific to the DNS service you are using.
 
For more information about the kings of DKIM records required in DNS, see: www.unlocktheinbox.com
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Paul Blank Replied
February 13, 2016 at 9:30 AM
Thanks, Bruce!
 
So there are 2 DNS entries?  You mentioned 3 keys.  What is the 3rd key (if I'm reading this correctly)?
 
 

Reply to Thread