BIND: Setup DMKI
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Adding a DKIM record to your DNS is quite simple.
First, your create a key pair with openssl:
openssl genrsa -out private.key 1024 openssl rsa -in private.key -pubout -out public.key
Your public key looks now like:
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n 3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb 5MIBp3vDiipAJNTO1wIDAQAB -----END PUBLIC KEY-----
Now you convert this output to one single line:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB
This line you will use as public key in your DNS record.
Next, add two txt records like
_domainkey.domain.com IN TXT o=~;r=postmaster@domain.com selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>
Which means:
o=~ the server signs some mail o=- all mail is signed, but unsigned mail should be accepted o=! all mail is signed, do not accept unsigned mail t=y I’m still testing v=DKIM1 we use DKIM version 1 k=rsa it is a RSA key r=<x@xx> report problems to this email address p=<public key> this is the generated public key
Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.