2048 bit domain keys?
Question asked by Mr Unique - 2/8/2016 at 2:27 PM
We are long time SmarterMail users, having upgraded all the way from v4.0 to v14.5.
Over the years we have implemented most of the new 'deliverability" features as they've come out, e.g. SPF, Domain Keys and DKIM signing.
Over the past year or so, we have noticed a decline in our deliverability, and our investigation seems to indicate that the problem is that 1024 bit domain keys are no longer widely accepted, and we now need to upgrade to 2048 bit keys.
The issue is, there is no 2048 bit option in Smartermail 14.5 - we see only 512, 768, and 1024 options.
How are you guys generating 2048 bit domain keys for Smartermail?

7 Replies

Reply to Thread
Matt Petty Replied
Employee Post Marked As Answer
We are removing Domain Keys in SmarterMail 15 since they are obsolete now. Setting your DKIM to 2048 by double clicking on DKIM in Anti-Spam Settings would be the way to go.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
Mr Unique Replied
OK, thanks for that hint...

We've now increased that to 2048 bits, and we've also disabled domain keys (but left DKIM on).

On the Certificate tab under Mail Signing, we're still only seeing 512, 768 and 1024 bit options - is this correct, or should we be seeing a 2048 bit option?
Mr Unique Replied
OK I have now figured it out!

To enable 2048 bit keys you need to go into Antispam Administration then:

1. Double click on DKIM and set Max Keysize allowed to 2048 bit

2. Double click on DomainKeys and set Max Keysize allowed to 2048 bit (if you don't do this step, you will not be able to generate a 2048 bit DNS certificate!)

After making both of these changes, you can then go back in to manage to domain in question and generate a new 2048 bit certificate in Mail Signing.

Talk about a poorly documented feature set.
Paul Blank Replied
I am using a 3rd party (symantec.cloud) for email filtering on one SM server. Can/should I still implement DKIM through SM, even though I'm not using SM Antispam?
Bruce Barnes Replied
You must create the DKIM certificate through SmarterMail because SmarterMail generates both the public and private keys.
The public key is what will go into the DNS - there are a total of THREE DIFFERENT KEYS:
secure._domainkey.yourdomain.com which will contain your 2048 bit public key PREPENDED with "k=rsa;" (no quotes, unless required by your DNS editor.
So, if your CERTIFICATE is:
Using the certificate name "secure" - determined when the certificate is generated in SmarterMail, here is the first DNS record entry.  These are TXT RECORDS,
secure._domainkey.yourdomain.com TXT RECORD

k=rsa is PREPENDED to the certificate to indicate the kind of encryption being used
the 2,048 bit DKIM certificate is indicated in dark green
here is the second DNS ENTRY: These are TXT records:
this declares that all outgoing mail is signed
The manner in which you input them are very specific to the DNS service you are using.
For more information about the kings of DKIM records required in DNS, see: www.unlocktheinbox.com
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
Paul Blank Replied
Thanks, Bruce!
So there are 2 DNS entries?  You mentioned 3 keys.  What is the 3rd key (if I'm reading this correctly)?
Hemen Shah Replied
Hi Bruce,

Where is the 3rd DNS entry ?


Reply to Thread