If you have ever had the opportunity to fiddle around with email servers, you might have heard of DKIM or DomainKey records. DKIM records are a way to fight the "bad guys" by adding an encrypted signature to your emails so that the recipient can check to see if the email originates from an authorized system. Here's an in-depth tutorial on how to set DKIM records up.
There's a problem however - many DNS management interfaces (like cPanel or older versions of PowerAdmin) only allow a maximum limit of 255 characters... and your DKIM record might be longer.
The solution is to enclose the record with parentheses, and separate each less-than-255-character chunk with spaces and apostrophes. Let's pretend our full DKIM signature looks like this:
v=DKIM1; k=rsa; s=email; p=FIBIjANBgkqhkiG9w0BAQEFAIDOJJFDEIBCgKCAQEA75yHQfuVRf9S2+OY/aA9Oe1cgic7nsOatmw4F8DK64eTkLGPhWJXTuq2qdw1ZOBNGyhXAFy/9oksN01rndsI99j3/L3rZIlSFySUaB5v10i+Y5Wi1wWOIlFbZuLM4sf7GPdEY+6w5nwrUE+3psff2y0wpZvwszgXfX4JPN+LfBvM6KgMUnuM7BqSyzmXlnOz4ipVS4bk9t2Ic7dG7FUVgoJhnRz1dcYdHZ6DAM/ege1KkfWxALZtEi7xBIv3kvM4EqNwg1limc/VksPbABz61MR0T+HxD4ypMl6lb+I8pfrZuMj/R2TPrgWQytJEp5MQxlNObi6k4mioQzu2LqGiQwIDAQAB
This is a single line entry and is 417 characters long - too much for a single entry. It turns out we can split this key into a format like this:
( "part one" "part two" ...)
... and it doesn't matter how long each chunk is, as long as it's less than 256 characters. So let's take into account the extra characters (parens and apostrophes) and split our test key up:
("v=DKIM1; k=rsa; s=email; p=FIBIjANBgkqhkiG9w0BAQEFAIDOJJFDEIBCgKCAQEA75yHQfuVRf9S2+OY/aA9Oe1cgic7nsOatmw4F8DK64eTkLGPhWJXTuq2qdw1ZOBNGyhXAFy/9oksN01rndsI99j3/L3rZIlSFySUaB5v10i+Y5Wi1wWOIlFbZuLM4sf7GPdEY+6w5nwrUE+3psff2y0wpZvwszgXfX4JPN+LfBvM6KgMUnuM7B" "qSyzmXlnOz4ipVS4bk9t2Ic7dG7FUVgoJhnRz1dcYdHZ6DAM/ege1KkfWxALZtEi7xBIv3kvM4EqNwg1limc/VksPbABz61MR0T+HxD4ypMl6lb+I8pfrZuMj/R2TPrgWQytJEp5MQxlNObi6k4mioQzu2LqGiQwIDAQAB")
This gives us 2 chunks: 254 and 169 characters long, respectively. Now we can add them to the DNS entry system under the same TXT record name:
mail._domainkey IN TXT ("v=DKIM1; k=rsa; s=email; ..." mail._domainkey IN TXT "qSyzmXlnOz4i...")
Some interfaces will remove the parens and apostrophes, so you'll be left with something similar to this:
After a bit of time, you should be able to check these records at a DKIM checker (like this one), and it should pass! If you're using MXToolbox, enter
dkim:mycustomdomain.com:mail in the box to get it to check the
But wait - how should I order these records?
A providing server should place the DKIM pieces in the correct order, based on the RDATA associated with each record, regardless of what order they are entered in. I still chalk this up to black magic, and I don't fully understand the explanation that I received when I asked this question on ServerFault. There is a spec for this: RFC1034 section 3.6 but it is equally as cryptic to me.
If you're able to help us out and explain how these records get ordered, drop a line in the comments and put our minds at ease.