Trouble Confirming DKIM
Problem reported by Michael Muller - 9/30/2019 at 1:17 PM
I can see the DKIM declared in my customer's DNS:

$origin mycustomersdomain.com.
8D745D86D3DB96F._domainKey    IN TXT ("v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1JRpdaTxI9v8ZVSQeT7LXNNyfO6uXtTc7bey88pxJ46hGTWkUyk+p6dimZYOmLzf2TPzJJiKo9QOTQDLEx9aB8MpqbuGp1OCp0urOvlsNtBacMORTPmcEvZtyLUNZhGGJ2c7CaMzjrm9p8g3EyCV1C9QZSFt+1L0ygnk0KGjUnwIDAQAB")
... which matches the key and the string provided by Smartermail:

Before enabling DKIM Email Signing, the following TXT record must be added to your DNS server. 

...yet SmarterMail will not validate the DKIM. What am I doing wrong?
Montague WebWorks
Powered by RocketFusion

4 Replies

Reply to Thread
Scarab Replied
The string may be too long for most DNS servers. Strings in TXT records cannot be longer than 255 characters. However to get around this limitation, per RFC 4408, a TXT record is allowed to contain multiple strings which can be concatenated back together by the server doing the query. 

Try the following:

$origin mycustomersdomain.com.
8D745D86D3DB96F._domainKey    IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1JRpdaTxI9v8ZVSQeT7LXNNyfO6uXtTc7bey88pxJ46hG"
"TWkUyk+p6dimZYOmLzf2TPzJJiKo9QOTQDLEx9aB8MpqbuGp1OCp0urOvlsNtBacMORTPmcEvZtyLUNZhGGJ2c7CaMzjrm9p8g3EyCV1C9QZSFt+1L0ygnk0KGjUnwIDAQAB" )
Notice I broke it into two strings by adding a double-quote after the first half, and another double-quote at the beginning of the next half. Otherwise you are encapsulating the strings properly in parenthesis and everything else looks good.

Michael Muller Replied
I don't believe this is the case. I have other domains that also use the 1024 bit encryption and work just fine. My personal domain's DKIM record is 267 characters long, and succeeds the https://dkimvalidator.com/ test. We are using Bind, which doesn't support 2048 bit encryption, which is why this is just 1024.

I'm now wondering if Bind doesn't like the longer key: 8D745D86D3DB96F
--- Montague WebWorks Powered by RocketFusion
Scarab Replied
Not sure what version of BIND you are using, but as of at least v9.X a TXT record can be of any length so long as each string does not exceed 253 characters (we concatenate long strings in BIND every 145 characters just to be safe). We use BIND v9.11 across 5 different DNS Servers and we've been able to use TXT records up to 4096 bits just fine (2048 for DKIM in SM). The longer subdomain for the DKIM Selector should be fine too, so long as it does not exceed 63 characters.

Are you using the same nameservers for DNS in SM as the ones that are serving the records for the domain? The reason I ask is that it could be a caching issue. The cmd "sudo rndc flushname domainname.tld" on the DNS servers used by SM should clear an outdated record from your BIND ADB table and DNS resolver cache. Also, stupid question but just to make sure you are running "sudo rndc reload domainname.tld" after making changes to a zone record in BIND, right? (One of our Admins, despite 10+ years experience, always forgets to do this).

Try using https://mxtoolbox.com/dkim.aspx to test the DKIM Selector & Domain Name in DNS. If it provides the proper response then SM should be seeing it too unless it is querying a cached zonefile in a DNS Resolver cache that does not have that record.

Lastly, what version of SM are you using? I seem to recall, long ago (somewhere in v14 I believe) that there was a known issue with DKIM verification failing for some keys but I haven't seen that happen for quite some time.
Michael Muller Replied
We are running BIND 9.10 FOR WINDOWS. The entire string inside the quotes is 236 characters long.

Yes, we are running the two domains through the same DNS.

I run "d:\bind\bin\rndc.exe reload" after rewriting the zone file to refresh the whole shebang. We only have about 500 domains in our db.

How do I enter in the selector? I entered in the domain name and 8D745D86D3DB96F and it said record not found.

We are running V.17 SmarterMail Enterprise Build 7125 (Jul 5, 2019)

--- Montague WebWorks Powered by RocketFusion

Reply to Thread