BIND: Setup DMKI
Revision as of 18:09, 28 April 2019 by Onnowpurbo (talk | contribs)
Adding a DKIM record to your DNS is quite simple.
First, your create a key pair with openssl:
openssl genrsa -out private.key 1024 openssl rsa -in private.key -pubout -out public.key
Your public key looks now like:
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n 3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb 5MIBp3vDiipAJNTO1wIDAQAB -----END PUBLIC KEY-----
Now you convert this output to one single line:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB
This line you will use as public key in your DNS record.
Next, add two txt records like
_domainkey.domain.com IN TXT o=~;r=postmaster@domain.com selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>
Which means:
o=~ the server signs some mail o=- all mail is signed, but unsigned mail should be accepted o=! all mail is signed, do not accept unsigned mail t=y I’m still testing v=DKIM1 we use DKIM version 1 k=rsa it is a RSA key r=<x@xx> report problems to this email address p=<public key> this is the generated public key
Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.