Hack w/ Limbic Media

Interactive Electronica and IoT

Visit Limbic Media

hack.limbicmedia.ca was created by the developers and engineers at Limbic Media to share their knowledge and experiences with DIY and hacker community-at-large.

by Eric McNiece

How to Split DNS DKIM Records Properly

If you have ever had the opportunity to fiddle around with email servers, you might have heard of DKIM or DomainKey records. DKIM records are a way to fight the "bad guys" by adding an encrypted signature to your emails so that the recipient can check to see if the email originates from an authorized system. Here's an in-depth tutorial on how to set DKIM records up.

There's a problem however - many DNS management interfaces (like cPanel or older versions of PowerAdmin) only allow a maximum limit of 255 characters... and your DKIM record might be longer.

What is this, TXT records for ants?

The solution is to enclose the record with parentheses, and separate each less-than-255-character chunk with spaces and apostrophes. Let's pretend our full DKIM signature looks like this:

v=DKIM1; k=rsa; s=email; p=FIBIjANBgkqhkiG9w0BAQEFAIDOJJFDEIBCgKCAQEA75yHQfuVRf9S2+OY/aA9Oe1cgic7nsOatmw4F8DK64eTkLGPhWJXTuq2qdw1ZOBNGyhXAFy/9oksN01rndsI99j3/L3rZIlSFySUaB5v10i+Y5Wi1wWOIlFbZuLM4sf7GPdEY+6w5nwrUE+3psff2y0wpZvwszgXfX4JPN+LfBvM6KgMUnuM7BqSyzmXlnOz4ipVS4bk9t2Ic7dG7FUVgoJhnRz1dcYdHZ6DAM/ege1KkfWxALZtEi7xBIv3kvM4EqNwg1limc/VksPbABz61MR0T+HxD4ypMl6lb+I8pfrZuMj/R2TPrgWQytJEp5MQxlNObi6k4mioQzu2LqGiQwIDAQAB  

This is a single line entry and is 417 characters long - too much for a single entry. It turns out we can split this key into a format like this:

( "part one" "part two" ...)

... and it doesn't matter how long each chunk is, as long as it's less than 256 characters. So let's take into account the extra characters (parens and apostrophes) and split our test key up:

("v=DKIM1; k=rsa; s=email; p=FIBIjANBgkqhkiG9w0BAQEFAIDOJJFDEIBCgKCAQEA75yHQfuVRf9S2+OY/aA9Oe1cgic7nsOatmw4F8DK64eTkLGPhWJXTuq2qdw1ZOBNGyhXAFy/9oksN01rndsI99j3/L3rZIlSFySUaB5v10i+Y5Wi1wWOIlFbZuLM4sf7GPdEY+6w5nwrUE+3psff2y0wpZvwszgXfX4JPN+LfBvM6KgMUnuM7B"


This gives us 2 chunks: 254 and 169 characters long, respectively. Now we can add them to the DNS entry system under the same TXT record name:

mail._domainkey    IN    TXT    ("v=DKIM1; k=rsa; s=email; ..."

mail._domainkey    IN    TXT    "qSyzmXlnOz4i...")  

Some interfaces will remove the parens and apostrophes, so you'll be left with something similar to this:

proper dkim record split

After a bit of time, you should be able to check these records at a DKIM checker (like this one), and it should pass! If you're using MXToolbox, enter dkim:mycustomdomain.com:mail in the box to get it to check the mail._domainkey.mycustomdomain.com record.

DKIM validation success

But wait - how should I order these records?

A providing server should place the DKIM pieces in the correct order, based on the RDATA associated with each record, regardless of what order they are entered in. I still chalk this up to black magic, and I don't fully understand the explanation that I received when I asked this question on ServerFault. There is a spec for this: RFC1034 section 3.6 but it is equally as cryptic to me.

If you're able to help us out and explain how these records get ordered, drop a line in the comments and put our minds at ease.

Happy signing!

Need help with a similar project?

Innovative Digital Art

Limbic Media

Consulting Engineering

Limbic Consulting