Difference between revisions of "BIND: Setup DMKI"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 3: | Line 3: | ||
First, your create a key pair with openssl: | First, your create a key pair with openssl: | ||
| − | openssl genrsa -out private.key 1024 | + | openssl genrsa -out private.key 1024 |
| − | openssl rsa -in private.key -pubout -out public.key | + | openssl rsa -in private.key -pubout -out public.key |
Your public key looks now like: | Your public key looks now like: | ||
Revision as of 18:03, 28 April 2019
Adding a DKIM record to your DNS is quite simple.
First, your create a key pair with openssl:
openssl genrsa -out private.key 1024 openssl rsa -in private.key -pubout -out public.key
Your public key looks now like:
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpS ZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGL PD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvx sbkccjUxLKw1YomX0QIDAQAB -----END PUBLIC KEY-----
Now you convert this output to one single line:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpSZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGLPD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvxsbkccjUxLKw1YomX0QIDAQAB
This line you will use as public key in your DNS record.
Next, add two txt records like
_domainkey.domain.com IN TXT o=!;r=postmaster@domain.com selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>
Which means:
o=~ the server signs some mail o=- all mail is signed, but unsigned mail should be accepted o=! all mail is signed, do not accept unsigned mail t=y I’m still testing v=DKIM1 we use DKIM version 1 k=rsa it is a RSA key r=<x@xx> report problems to this email address p=<public key> this is the generated public key
Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.