DKIM setup with SmarterMail and BIND
Question asked by Anthony DePinto - December 19, 2017 at 1:24 PM
Answered
Trying to setup DKIM records with SmarterMail and BIND 9.10.4.  After I create the record with all defaults in SmarterMail and apply it in BIND it seems ok.  I test it with a few online tools and they seem happy, but SmarterMail doesn't seem to recognize it.  I've tried with 1024 bit keys and 2048.  I dropped to 1024 because BIND limits the records to 255 characters (I split it and outside tools see it ok, but not sure if that caused the fail in SmarterMail).  SM never seems to pass the Test phase.  Anybody able to get it working?

5 Replies

Reply to Thread
0
Von-Austin See Replied
Employee Post Marked As Answer
Anthony,
 
You'll want to avoid using a 1024 bit key size, this key size has been deprecated by most major providers. You will want to use 2048 bit.
 
Both Microsoft DNS and standard BIND DNS servers will encounter this issue.

You'll need to break up the 2048 bit DKIM key into multiple lines. For example instead of having a DKIM key that resembles the following:
 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2HUa40zk+1xuJPje3Dxf1NwrVP0apSJnaJNCuG6U5iiVCx8RXhiCJlldIbkh1glfhJijZDpuQ7W6QE9By1/5u7ArfmzqRB5QlgfpFlPdYGDLSBeBFSbkPF3jK6izChZNRwS8lcQdGtD/09wHuVZBfO1V+jOL8+JlHWJC5y7hdLwIDAQAB
 
You'll want to add line breaks to the record so that it resembles the following:
 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2HUa40zk+1xuJ
Pje3Dxf1NwrVP0apSJnaJNCuG6U5iiVCx8RXhiCJlldIbkh1glfhJijZDpuQ7W6
QE9By1/5u7ArfmzqRB5QlgfpFlPdYGDLSBeBFSbkPF3jK6izChZNRwS8lcQd
GtD/09wHuVZBfO1V+jOL8+JlHWJC5y7hdLwIDAQAB
 
Symantec actually has a writeup on this that can be reviewed here: https://support.symantec.com/en_US/article.TECH123082.html
 
I hope this helps. 
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Scarab Replied
As Von See stated, you have to add line-breaks to the key in the TXT Record to handle > 255 characters. However, with BIND (as opposed to MSDNS) you specifically have to encapsulate all the lines together as follows:
 
( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2cXNFmv9z8cIwxNf0Sfv"
"oLYkgsxuAJG8bG1PZV+W2rNR7J/H46ytL5HeGBNbJJGUS+HlWJaS0BAl4QpwBVyLgXczk3vjA2UxCHR5SN"
"3hm+72xqGGW69lNCJ6YFwA3m0q4l16C/fG/g+1fbSZGOIZnb3rU3V8fwixk8xpCLmxdQrKHgHM0+3//V68"
"mW+CanSs8djW+WHtO4pAO6/SNiIrXydQ2QKy0JlLkDd06vdpjMuMdowQxGIc+DtFl+jlKZoBmWDxCdzHik"
"vbLd1a2H+T+EqfSepaWfgjyE3T/WpQ+nM0240y2lxx8q0eQiO+FVa+nF4J5sDBJxRkuUOsoH5RwQIDAQAB" )
 
So each line has to be double-quoted (begins with a " and ends with a ") and the entire txt record string has to be encapsulated with parentheses ( ). When encapsulated and quoted the txt record will be able to be read flawlessly by both Smartermail and any other DNS query.
0
Using BIND you don't have to break it up into multiple lines.  You can do the following:
 
8D535AE480FCCED._domainKey IN TXT "p=part1" "part2"
 
where the two parts are quoted separately on same line.
 
Also if you have internal and external views in BIND you need to put the key in both.
0
George Spanos Replied
I am dealing with the same problem and although I have setup the DKIM key on BIND, I cannot get smartermail 16.x to enable it. It seems to me that it checks the DNS entry and unless it gets a matching answer, it does not enable signing. Any way I can bypass this and enable regardless?

My DKIM DNS setup passes the DKIM Analyzer at DMARC ANalyzer's website with flying colors... 
 
All this started because I had to move to 2048 bit DKIM signatures. Seems to work fine with third party DNS servers but not my BIND 9.10.
 
My selector is 8D6139DFB22B1FE and the domain name station1.com
0
George Spanos Replied
Problem solved...seems that the issue was related to a DNS update delay. Apparently, my setup was right and along the lines above.

Reply to Thread