DKIM DNS entry with 255 characters limit

sharpec · March 21, 2018, 8:54am

Goodmorning everyone,
i have problem with dkim encryption.

My hosting NETSONS truncates DKIM key available from the page Email - Domain to 255 characters.

I have try

( “part one” “part two” …)

and this

https://support.google.com/a/answer/173535

the result is

Messaggio originale
ID messaggio	<5e6b-5ab11a80-3-6781eb00@233085339>
Creato alle:	20 marzo 2018 15:29 (consegnato dopo 5 secondi)
Da:	enzo <enzo@myNSdomain.org>
A:	mygmailemail@gmail.com
Oggetto:	ciao 5
DKIM:	'FAIL' con il dominio myNSdomain.org Ulteriori informazioni


Scarica messaggio originale	Copia negli appunti	
Delivered-To: mygmailemail@gmail.com
Received: by 10.2.155.125 with SMTP id g58csp3987516jal;
        Tue, 20 Mar 2018 07:29:18 -0700 (PDT)
X-Google-Smtp-Source: AG47ELsDrNeGPmsIUx1XDCiVcP3xvjUNRGCFqX2a3GxeQAvGKdWMYHV9za7iJVBx7WQIB1hlDtik
X-Received: by 10.28.166.206 with SMTP id p197mr2252171wme.81.1521556158075;
        Tue, 20 Mar 2018 07:29:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521556158; cv=none;
        d=google.com; s=arc-20160816;
        b=DVFJno9wcO1gbQzFsitmw9THkJrnHLPyfoP54sCZuJaXd0dLE8T0uMBkl0e6ThV71k
         k2yjfp0mqy0hGjDmaKZl6ZIYp9ulYOrnTLnhkLB6BeY+J3LrXA6GY57gozz8b3LryFkA
         633TEVMFJlsrNZ4aLcsXLEL1NOot0p8bfJuzgYMeYTzgr+rIsnSWY2ASNqzBMrxZH4su
         8WpuLS8eDXuUUjYe8e0IAjj3jOTHNfQEzPna6CPzmv/fAsKmzDoSAD+p1gnqs2oaZWch
         rYCif9DWOqACFsf905oDtu7/QwBSS56OkTKivTTRa2Cznt5id2hezHHEEeiWz8IqvmV/
         p64w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=from:message-id:subject:date:mime-version:user-agent:to
         :dkim-signature:dkim-filter:arc-authentication-results;
        bh=KOf+cP/4nTj/gMW3WaDzmRy4gKTdjQXzcpsdaWubCMM=;
        b=SiN25x9u4diKI39/knqYGuZmWyklNUuSRp/KRKnDWzVs0hJN4IdZ18kEd6MmSZu4h0
         TWN0jtuVP8QiEccNZrbV8vVLohwUIi+WLlrozbV+liovdSw/W9mqPd2DwFlJ6vyUBZz3
         mVowx3fr6BDHiCqpMy9tsaqCmG5GY9SO742375rxMBaYxRZfeYWmH0PY0wc+YUiHKfH5
         fM6uDyAhgEtGr2LYdCpB/LgYS575SJ3KZAbWKjdrnHGl/A3qcHz2UVN0W2XspRsP3HLs
         Fo21+r0km5Wx2ECJqhZQxik/ah343uQ5727dquY5+k6CU/qFwzjWGhjf2zpkmZuGKwEC
         Rzhw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (bad format) header.i=@myNSdomain.org header.s=default header.b=jkWrY+fT;
       spf=pass (google.com: domain of enzo@myNSdomain.org designates 123.456.678.9 as permitted sender) smtp.mailfrom=enzo@myNSdomain.org
Return-Path: <enzo@myNSdomain.org>
Received: from fw.myNSdomain.org (net-123-456-789-9.cust.vodafonedsl.it. [123.456.678.9])
        by mx.google.com with ESMTP id o31si1585996wrc.291.2018.03.20.07.29.17
        for <mygmailemail@gmail.com>;
        Tue, 20 Mar 2018 07:29:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of enzo@myNSdomain.org designates 123.456.678.9 as permitted sender) client-ip=123.456.678.9;
Authentication-Results: mx.google.com;
       dkim=neutral (bad format) header.i=@myNSdomain.org header.s=default header.b=jkWrY+fT;
       spf=pass (google.com: domain of enzo@myNSdomain.org designates 123.456.678.9 as permitted sender) smtp.mailfrom=enzo@myNSdomain.org
Received: from localhost (localhost [127.0.0.1]) by fw.myNSdomain.org (Postfix) with ESMTP id 155548E47DF for <mygmailemail@gmail.com>; Tue, 20 Mar 2018 15:29:13 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 fw.myNSdomain.org 155548E47DF
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=myNSdomain.org; s=default; t=1521556156; bh=KOf+cP/4nTj/gMW3WaDzmRy4gKTdjQXzcpsdaWubCMM=; h=To:Date:Subject:From:From; b=jkWrY+fTDH3MaCUhQATs0ken7fzC8dSBazgkTBQgygFYOvGJjo4V2ot5I89TsdlQs
	 wViavukgLsN50zaZh/8YMadnLR2Kr8imricPFlQBZEdRDLoTFWFwItoCoedX0RW3Sx
	 pmuyiWhlcfB5Id7DHmMF4j1SpEIHTmR/XiUZObU+LP+/q+FSuH1lqxBEBdkCsxggsR
	 NmmkV6gMYinc0JsQsaTHcJaFDmRnfkVLH/bDuj0TWPhW3L4rAxz8faLUJQBIeKqU/g
	 Ji9Yk47EARoQCUBhI25YWZj2aiBf3Bsb46Bfmdmh7UCNHAnC2wkOKaiVgQKdvV81tD
	 bAOOcH9O5tm9w==
Content-Type: multipart/alternative; boundary="----=_=-_OpenGroupware_org_NGMime-24171-1521556152.789238-1------"
To: mygmailemail@gmail.com
User-Agent: SOGoMail 3.2.10
MIME-Version: 1.0
Date: Tue, 20 Mar 2018 15:29:12 +0100
Subject: ciao 5
Message-ID: <5e6b-5ab11a80-3-6781eb00@233085339>
X-Forward: 192.168.1.210
From: enzo <enzo@myNSdomain.org>

------=_=-_OpenGroupware_org_NGMime-24171-1521556152.789238-1------
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Length: 0



------=_=-_OpenGroupware_org_NGMime-24171-1521556152.789238-1------
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Length: 13

<html></html>

------=_=-_OpenGroupware_org_NGMime-24171-1521556152.789238-1--------

a check on https://mxtoolbox.com returns for dkim:myNSdomain.org:default

any idea?

stephdl · March 21, 2018, 1:49pm

we have just one key for all domain, you can retrieve it at

cat /etc/opendkim/default.txt

you have no standard to save the public dkim key to you registar, like you see the key is cut in two pieces, and I decided to truncate it in one piece

unfortunately you have to do some attempts, maybe with the raw key format it can help you, do you think it is preferable to get the raw key instead of the customised one

davidep · March 21, 2018, 2:19pm

We could reduce the key size in /etc/e-smith/events/actions/nethserver-mail-create-opendkim-key, then generate a shorter key:

sed -i 's/2048/1024/' /etc/e-smith/events/actions/nethserver-mail-create-opendkim-key
rm /etc/opendkim/keys/default.*
/etc/e-smith/events/actions/nethserver-mail-create-opendkim-key

do you think it is a viable workaround? read comment below!

stephdl · March 21, 2018, 2:22pm

We could also say to dkim to use only a 1024 bit size but I worry about weakness. For what I read 2048 is a must nowadays.

But like I read yesterday night, do you really need to wear a helmet in your car :-?

sharpec · March 21, 2018, 2:48pm

PERFECT!!!

davidep · March 21, 2018, 2:56pm

Like @stephdl suggests, there are also some methods/syntax to split long DKIM keys over multiple chunks. It depends on the DNS implementation, so you should refer to your DNS provider’s documentation.

The marked solution is a workaround. It generates a weak key.

sharpec · March 21, 2018, 3:04pm

I understand that it is a workaround, I do not know many Italian hosting, but I consider Netsons the most reliable, complete, versatile. In Italy, both aruba and register are very far from the completeness of use of Netsons.
I have a dedicated panel for DKIM and SPF activation!!!

Let’s say that for the moment I’m happy, I’ll be looking for an Italian hosting that does not have this limit.
For the moment Thank you!

davidep · May 23, 2018, 5:13am

3 posts were split to a new topic: My emails finish in SPAM only with google