Remember that 4096bit DKIM signing doesnt work in 8930. Remember to fix it in the upcoming release
Problem reported by Brian Bjerring-Jensen - 7/7/2024 at 2:17 PM
Not A Problem
The 4096 bit signing doesnt copy the entire string out of the webinterface. You have to use 2048 to get it to work.

6 Replies

Reply to Thread
Zach Sylvester Replied
Employee Post
Hey Brian,

Thanks for reaching out about this issue. After testing it myself, I can confirm that I was able to successfully copy and paste the 4096 TXT record value into my DNS service and it verified and worked. It's important to note that many DNS servers impose limitations on the size of a TXT record, typically to 255 or 512 characters. This can pose challenges when inputting DKIM signatures, particularly when they exceed 512 characters. To address this, it's crucial to split it into multiple strings. The specific procedures for doing so will vary based on the DNS server you're using. Kindly refer to the provided resources for more information.

I hope this helps. 

Thank you,
Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Brian Bjerring-Jensen Replied
2048 works like a charm despite beeing longer than 255 characters. The 4096 bit DKIM doesnt woprk even if you follow these guidelines.
Terry Froy Replied
In order to serve DNS records whose payload exceeds 512 bytes, the DNS server hosting your record SHOULD either support EDNS0 and MUST be reachable over TCP/53 as well as UDP/53.

A modern DNS server will respond with UDP responses that are larger than 512 bytes if the client indicates that it supports EDNS0 in the initial query.

If a client does not indicate that it supports EDNS0, the DNS server MUST respond with a TCP referral.

A TCP referral is where the DNS server does not respond with the record content but instead sends back an answer indicating to the DNS client that the query should be re-attempted over TCP instead of UDP which does not suffer from the 512-byte payload limitation.
Ron Raley Replied
DKIM 4096 length may be denied by older mail servers.
Chris Replied
Not very many mail and DNS servers support 2048, let alone 4096. Amazon DNS only supports 1024 (there is a workaround). a2hosting.com and hostgator are others I can think of.
Patrick Jeski Replied
In the other thread where you described your problems:

I tried to reproduce your problem with my two beta linux servers and my two production servers. I had no issues at all with 4096 bit keys.

Reply to Thread