DKIM setup with SmarterMail and BIND

Question asked by Anthony DePinto - 12/19/2017 at 1:24 PM

Answered

Trying to setup DKIM records with SmarterMail and BIND 9.10.4. After I create the record with all defaults in SmarterMail and apply it in BIND it seems ok. I test it with a few online tools and they seem happy, but SmarterMail doesn't seem to recognize it. I've tried with 1024 bit keys and 2048. I dropped to 1024 because BIND limits the records to 255 characters (I split it and outside tools see it ok, but not sure if that caused the fail in SmarterMail). SM never seems to pass the Test phase. Anybody able to get it working?

5 Replies

Reply to Thread

Employee Replied

12/20/2017 at 9:56 AM

Employee Post Marked As Answer

Anthony,

You'll want to avoid using a 1024 bit key size, this key size has been deprecated by most major providers. You will want to use 2048 bit.

Both Microsoft DNS and standard BIND DNS servers will encounter this issue.

You'll need to break up the 2048 bit DKIM key into multiple lines. For example instead of having a DKIM key that resembles the following:

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2HUa40zk+1xuJPje3Dxf1NwrVP0apSJnaJNCuG6U5iiVCx8RXhiCJlldIbkh1glfhJijZDpuQ7W6QE9By1/5u7ArfmzqRB5QlgfpFlPdYGDLSBeBFSbkPF3jK6izChZNRwS8lcQdGtD/09wHuVZBfO1V+jOL8+JlHWJC5y7hdLwIDAQAB

You'll want to add line breaks to the record so that it resembles the following:

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2HUa40zk+1xuJ
Pje3Dxf1NwrVP0apSJnaJNCuG6U5iiVCx8RXhiCJlldIbkh1glfhJijZDpuQ7W6
QE9By1/5u7ArfmzqRB5QlgfpFlPdYGDLSBeBFSbkPF3jK6izChZNRwS8lcQd
GtD/09wHuVZBfO1V+jOL8+JlHWJC5y7hdLwIDAQAB

Symantec actually has a writeup on this that can be reviewed here: https://support.symantec.com/en_US/article.TECH123082.html

I hope this helps.

Scarab Replied

12/22/2017 at 3:39 PM

As Von See stated, you have to add line-breaks to the key in the TXT Record to handle > 255 characters. However, with BIND (as opposed to MSDNS) you specifically have to encapsulate all the lines together as follows:

( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2cXNFmv9z8cIwxNf0Sfv"
"oLYkgsxuAJG8bG1PZV+W2rNR7J/H46ytL5HeGBNbJJGUS+HlWJaS0BAl4QpwBVyLgXczk3vjA2UxCHR5SN"
"3hm+72xqGGW69lNCJ6YFwA3m0q4l16C/fG/g+1fbSZGOIZnb3rU3V8fwixk8xpCLmxdQrKHgHM0+3//V68"
"mW+CanSs8djW+WHtO4pAO6/SNiIrXydQ2QKy0JlLkDd06vdpjMuMdowQxGIc+DtFl+jlKZoBmWDxCdzHik"
"vbLd1a2H+T+EqfSepaWfgjyE3T/WpQ+nM0240y2lxx8q0eQiO+FVa+nF4J5sDBJxRkuUOsoH5RwQIDAQAB" )

So each line has to be double-quoted (begins with a " and ends with a ") and the entire txt record string has to be encapsulated with parentheses ( ). When encapsulated and quoted the txt record will be able to be read flawlessly by both Smartermail and any other DNS query.

Bryan Zimmerman Replied

12/25/2017 at 8:06 AM

Using BIND you don't have to break it up into multiple lines. You can do the following:

8D535AE480FCCED._domainKey IN TXT "p=part1" "part2"

where the two parts are quoted separately on same line.

Also if you have internal and external views in BIND you need to put the key in both.

George Spanos Replied

9/6/2018 at 4:28 PM

I am dealing with the same problem and although I have setup the DKIM key on BIND, I cannot get smartermail 16.x to enable it. It seems to me that it checks the DNS entry and unless it gets a matching answer, it does not enable signing. Any way I can bypass this and enable regardless?

My DKIM DNS setup passes the DKIM Analyzer at DMARC ANalyzer's website with flying colors...

All this started because I had to move to 2048 bit DKIM signatures. Seems to work fine with third party DNS servers but not my BIND 9.10.

My selector is 8D6139DFB22B1FE and the domain name station1.com

George Spanos Replied

9/7/2018 at 10:08 AM

Problem solved...seems that the issue was related to a DNS update delay. Apparently, my setup was right and along the lines above.

Back to Community Threads

Please leave this box unchecked

5 Replies

Reply to Thread

Tags

Related Knowledge Base Articles