BIND: Setup DMKI

From OnnoWiki
Jump to: navigation, search

Adding a DKIM record to your DNS is quite simple.

First, your create a key pair with openssl:

openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key

Your public key looks now like:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM
PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n
3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb
5MIBp3vDiipAJNTO1wIDAQAB
-----END PUBLIC KEY-----


Now you convert this output to one single line:


MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB


This line you will use as public key in your DNS record.

Next, add two txt records like

_domainkey.domain.com          IN TXT o=~;r=postmaster@domain.com
selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>

Which means:

   o=~ the server signs some mail
   o=- all mail is signed, but unsigned mail should be accepted
   o=! all mail is signed, do not accept unsigned mail
   t=y I’m still testing
   v=DKIM1 we use DKIM version 1
   k=rsa it is a RSA key
   r=<x@xx> report problems to this email address
   p=<public key> this is the generated public key

Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.