Back to Community Threads
3
2048 bit domain keys?
Question asked by Mr Unique - 2/8/2016 at 2:27 PM
Answered
We are long time SmarterMail users, having upgraded all the way from v4.0 to v14.5.
Over the years we have implemented most of the new 'deliverability" features as they've come out, e.g. SPF, Domain Keys and DKIM signing.
 
Over the past year or so, we have noticed a decline in our deliverability, and our investigation seems to indicate that the problem is that 1024 bit domain keys are no longer widely accepted, and we now need to upgrade to 2048 bit keys.
 
The issue is, there is no 2048 bit option in Smartermail 14.5 - we see only 512, 768, and 1024 options.
 
How are you guys generating 2048 bit domain keys for Smartermail?

7 Replies

Reply to Thread
1
Matt Petty Replied
2/8/2016 at 2:36 PM
Employee Post Marked As Answer
We are removing Domain Keys in SmarterMail 15 since they are obsolete now. Setting your DKIM to 2048 by double clicking on DKIM in Anti-Spam Settings would be the way to go.
 
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Mr Unique Replied
2/8/2016 at 3:21 PM
OK, thanks for that hint...

We've now increased that to 2048 bits, and we've also disabled domain keys (but left DKIM on).

On the Certificate tab under Mail Signing, we're still only seeing 512, 768 and 1024 bit options - is this correct, or should we be seeing a 2048 bit option?
0
Mr Unique Replied
2/8/2016 at 3:35 PM
OK I have now figured it out!

To enable 2048 bit keys you need to go into Antispam Administration then:

1. Double click on DKIM and set Max Keysize allowed to 2048 bit

2. Double click on DomainKeys and set Max Keysize allowed to 2048 bit (if you don't do this step, you will not be able to generate a 2048 bit DNS certificate!)

After making both of these changes, you can then go back in to manage to domain in question and generate a new 2048 bit certificate in Mail Signing.

Talk about a poorly documented feature set.
0
Paul Blank Replied
2/13/2016 at 7:41 AM
I am using a 3rd party (symantec.cloud) for email filtering on one SM server. Can/should I still implement DKIM through SM, even though I'm not using SM Antispam?
1
Bruce Barnes Replied
2/13/2016 at 8:48 AM
You must create the DKIM certificate through SmarterMail because SmarterMail generates both the public and private keys.
 
The public key is what will go into the DNS - there are a total of THREE DIFFERENT KEYS:
secure._domainkey.yourdomain.com which will contain your 2048 bit public key PREPENDED with "k=rsa;" (no quotes, unless required by your DNS editor.
 
So, if your CERTIFICATE is:
 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLR36I6CbuKoQggeawkrXvuspnlfFaojxVYtgUWB5m5vJN4lvFJwQxKinxHIzNwIQfnsNY5SM4auPrKdhbI66UyzXGrgUJeZ5/LRA+41tTUK7IIEP7TqxQNo7sNBRzAPuGvitF8qXJIMklM70ROut6vqpiX6999E+5OOQBUetzj+J7mLa4Un7fbHCpx5g+BwPqxV4pfeJidVCfJX3IgneEZac+V+hUbw38q/b8pEW/uZ6u3eDDXCKWSdJ2NFPrEFPDQoezL8rtyudg+p/jwmbK9V2bjlq/AuQffJyv3FQpdAyb5HwkdY9FeEinveVez5rmFOyZ10I1xdLMqZrm618QIDAQAB
 
Using the certificate name "secure" - determined when the certificate is generated in SmarterMail, here is the first DNS record entry.  These are TXT RECORDS,
 
secure._domainkey.yourdomain.com TXT RECORD

k=rsa is PREPENDED to the certificate to indicate the kind of encryption being used
the 2,048 bit DKIM certificate is indicated in dark green
k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLR36I6CbuKoQggeawkrXvuspnlfFaojxVYtgUWB5m5vJN4lvFJwQxKinxHIzNwIQfnsNY5SM4auPrKdhbI66UyzXGrgUJeZ5/LRA+41tTUK7IIEP7TqxQNo7sNBRzAPuGvitF8qXJIMklM70ROut6vqpiX6999E+5OOQBUetzj+J7mLa4Un7fbHCpx5g+BwPqxV4pfeJidVCfJX3IgneEZac+V+hUbw38q/b8pEW/uZ6u3eDDXCKWSdJ2NFPrEFPDQoezL8rtyudg+p/jwmbK9V2bjlq/AuQffJyv3FQpdAyb5HwkdY9FeEinveVez5rmFOyZ10I1xdLMqZrm618QIDAQAB
here is the second DNS ENTRY: These are TXT records:
 
_domainkey.yourdomain.com
 
this declares that all outgoing mail is signed
o=~
The manner in which you input them are very specific to the DNS service you are using.
 
For more information about the kings of DKIM records required in DNS, see: www.unlocktheinbox.com
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Paul Blank Replied
2/13/2016 at 9:30 AM
Thanks, Bruce!
 
So there are 2 DNS entries?  You mentioned 3 keys.  What is the 3rd key (if I'm reading this correctly)?
 
 
0
Hemen Shah Replied
2/17/2016 at 4:39 AM
Hi Bruce,

Where is the 3rd DNS entry ?

Thanks
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Messages to Yahoo! Emails are Temporarily DeferredSmarterMail > Troubleshooting
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Configure URL Rewriting for Autodiscover on LinuxSmarterMail > Server Configuration and Management
Setting up Email Signing (DKIM) for a DomainSmarterMail > Domain/User Configuration and Management