Generating DKIM key with openssl

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

Generating 1024 bit DKIM key[edit]

To generate a DKIM key with openssl, do the following - this will generate you a 1024 bit DKIM key:

openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key


Your generated public key will remind something like below:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFnr/FncHM2LkH7CgK4/9FWdp
b+XHMaQ11vOfbD9hmhZgYtNOu8cQhECD0j8MpSwPELll3zz+jxEaAJnej5RJpqcW
v4N1TbZ/kRItE1jQ8HiLhlQcVibuetcXiYD0sRccbAwNgQ9XVTf0FhH3Ek7ABkz8
PCZaebWvFsNlqNWqxwIDAQAB
-----END PUBLIC KEY-----

If you need to supply the public.key in the DNS record as follows, you have to "convert" it manually to be in one line, i.e.:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFnr/FncHM2LkH7CgK4/9FWdpb+XHMaQ11vOfbD9hmhZgYtNOu8cQhECD0j8MpSwPELll3zz+jxEaAJnej5RJpqcWv4N1TbZ/kRItE1jQ8HiLhlQcVibuetcXiYD0sRccbAwNgQ9XVTf0FhH3Ek7ABkz8PCZaebWvFsNlqNWqxwIDAQAB


In bind/named compatible format, it will look like below TXT record:

default._domainkey 14400 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFnr/FncHM2LkH7CgK4/9FWdpb+XHMaQ11vOfbD9hmhZgYtNOu8cQhECD0j8MpSwPELll3zz+jxEaAJnej5RJpqcWv4N1TbZ/kRItE1jQ8HiLhlQcVibuetcXiYD0sRccbAwNgQ9XVTf0FhH3Ek7ABkz8PCZaebWvFsNlqNWqxwIDAQAB"


Generating 2048 bit DKIM key[edit]

Please note that you may want to use a 2048 bit DKIM key - in this case, use the following openssl commands:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key


However, 2048 bit public DKIM key is too long to fit into one single TXT record - which can be up to 255 characters. Assuming your full public key is as follows:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2QFd+mOaTavpOQAQi7jI
KdHrWsm2nzqG8ZocEjG63vdRzsZA88kakOTpdw+rPQKb2LW3wmKnjld6kIeSJFC6
ennMDKUYagEdS2aPsEbvWpmyiPNroB95dvmK8jJlU89AaKN1jRkaboqqllpNxMKc
Fw+MRxkbsfbIfRf3CKTUXtay47iFtmuP0r5mYFc6QTGYGfLXxw0Oyi4izVxe2RWC
yDeeUhP7aJpl647Vz4z1jhkLSFTEtpKj5pPEFt9TNVjqR8OAXH1DicEcuBmJWkCZ
9Uo8K1C7NtJ6wMpDS0XA+KakPkNI6rehdg7mJxrXz7MD+mkFeahJtWwhOKTxLyXd
DQIDAQAB
-----END PUBLIC KEY-----


...you need to split the text field into parts having 255 characters or less:

default._domainkey 14400 IN TXT ("k=rsa; p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2QFd+mOaTavpOQAQi7jI"
"KdHrWsm2nzqG8ZocEjG63vdRzsZA88kakOTpdw+rPQKb2LW3wmKnjld6kIeSJFC6"
"ennMDKUYagEdS2aPsEbvWpmyiPNroB95dvmK8jJlU89AaKN1jRkaboqqllpNxMKc"
"Fw+MRxkbsfbIfRf3CKTUXtay47iFtmuP0r5mYFc6QTGYGfLXxw0Oyi4izVxe2RWC"
"yDeeUhP7aJpl647Vz4z1jhkLSFTEtpKj5pPEFt9TNVjqR8OAXH1DicEcuBmJWkCZ"
"9Uo8K1C7NtJ6wMpDS0XA+KakPkNI6rehdg7mJxrXz7MD+mkFeahJtWwhOKTxLyXd"
"DQIDAQAB")


There are several limitations to 2048 bit DKIM records:

  • While bind/named supports TXT fields being split into several parts, some DNS hostings may still not support it.
  • If the total size of the DNS record is larger than 512 bytes, it will be sent over TCP, not UDP. Some buggy firewalls may not permit DNS packets over TCP.