BIND: Setup DMKI

From OnnoWiki
Revision as of 17:38, 28 April 2019 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Adding a DKIM record to your DNS is quite simple.

First, your create a key pair with openssl:

openssl genrsa -out private.key 1024 openssl rsa -in private.key -pubout -out public.key

Your public key looks now like:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpS
ZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGL
PD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvx
sbkccjUxLKw1YomX0QIDAQAB
-----END PUBLIC KEY-----

Now you convert this output to one single line:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpSZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGLPD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvxsbkccjUxLKw1YomX0QIDAQAB

This line you will use as public key in your DNS record.

Next, add two txt records like

_domainkey.domain.com          IN TXT o=!;r=postmaster@domain.com
selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>

Which means:

   o=~ the server signs some mail
   o=- all mail is signed, but unsigned mail should be accepted
   o=! all mail is signed, do not accept unsigned mail
   t=y I’m still testing
   v=DKIM1 we use DKIM version 1
   k=rsa it is a RSA key
   r=<x@xx> report problems to this email address
   p=<public key> this is the generated public key

Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.