DKIM Key Length

sadwargamer · Jul 21, 2015

Hi,

The DKIM key created is too long for the TXT entry field (limit 255 characters) - I understand that the latest version of cpanel uses 2048 key whereas a 1024 key from previous versions genertaed a key of 255 charcters or less.

As I cannot add a long TXT record can someone let me know who I can force WHM/Cpanel to use 1024 key size so I can create correct TXT entries.

Regards
Andy

cPanelMichael · Aug 6, 2015

Hello

Could you verify which version of cPanel is installed on your system? This should be addressed in cPanel version 11.50.

Thank you.

sadwargamer · Aug 6, 2015

Hi,

Yes I am on 11.50 but all new domains are created with the 2048 key - how can I change this to the 1024 key please.

thanks.

regards
andy

cPanelMichael · Aug 6, 2015

Could you verify why you can't add the long TXT record? For instance, do you mean you are adding it somewhere other than cPanel where the DNS is hosted? It should not be an issue adding it through cPanel.

Thank you.

sadwargamer · Aug 6, 2015

I need to add the DKIM as a TX record with my DNS provider and they do not support (currently) more than 255 characters otherwise of course I woudl use 2048...

I cannot be the only one in the world in this position

cPanelMichael · Aug 25, 2015

Hello

Internal case CPANEL-794 is open to address the improper handling of quotes and data length for TXT records (DKIM). You can monitor our change logs to see when this case has been resolved:

cPanel - Change Logs

Thank you.

Pablo1981 · Oct 2, 2015

Has this been fixed yet?
I did not find the case in the logs!
This is urgent since it affects email!
Thanks

cPanelMichael · Oct 5, 2015

Internal case CPANEL-794 has not yet been released, but I do see activity on this case as recent as a few days ago. There's currently no exact time frame I can provide on when a resolution will be implemented, but please feel free to monitor our change log for the case number.

Thank you.

dazeck · Nov 3, 2015

Sorry to bump this thread, but I am having an issue with DKIM and I think it's due to this case number 794. Are we any closer to getting this resolved ? If not, how can we manually generate dkim and get email signing working. My old keys all work fine, but keys generated recently are failing and its for a new customer.

I get this when testing with verifier.port25.com

DKIM check details:
----------------------------------------------------------
Result: fail (signature doesn't verify)

cPanelMichael · Nov 4, 2015

dazeck said:
but keys generated recently are failing and its for a new customer.

Could you verify if you have checked any alternate testing websites? You can also verify if the record appears with a command such as:

Code:

dig txt default._domainkey.domain.com @ns1.nameserver.com

Thank you.

dazeck · Nov 5, 2015

This appears to have rectified itself once I had logged a support ticket, typical. To get around this whilst waiting for the support team (the time difference doesn't help), I had to manually generate the keys. The following day, when disabled and re-enabled the DKIM setting against the account and checked using verifier.port25.com it verified ok. I have no idea why it wouldn't work one day then started to work the next.

cPanelMichael · Nov 5, 2015

I am happy to see the issue is now resolved. In general, it's a good idea to check via the "dig" command because third-party websites may use cached or incorrect methods of verifying the record.

Thank you.

JamasWise · Nov 5, 2015

If you are using Cloudflare, I finally found a work around. This might work for other DNS systems.

When cpanel displays the new longer keys on the email authentication screen it does so in the format that DNS system would do to maintain the 255 character limit of the TXT field. It does this by adding a quote " and space before the next part of the key. If you are pasting this into Cloudflare then strip out all the quotes and the space. Cloudflare when serving the record will split it. But if you paste it in split then it won't resolve correctly.

Hope this helps others.

cPanelMichael · Nov 6, 2015

Thank you for taking the time to provide a workaround for CloudFlare. I'm happy to see that addresses the issue.

doekia · Dec 20, 2015

humm, I feel really confused.

RFC-4408 - 3.1.3

As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
record (either TXT or SPF RR types) can be composed of more than one
string.
...
SPF or TXT records containing multiple strings are useful in
constructing records that would exceed the 255-byte maximum length of
a string within a single TXT or SPF RR record.

RFC-1035 - 3.3

<domain-name> is a domain name represented as a series of labels, and
terminated by a label with zero length. <character-string> is a single
length octet followed by that number of characters. <character-string>
is treated as binary information, and can be up to 256 characters in
length (including the length octet).

RFC-1035 - 3.3.14

TXT-DATA One or more <character-string>s.

RFC-1035 - 5.1

<character-string> is expressed in one or two ways: as a contiguous set
of characters without interior spaces, or as a string beginning with a "
and ending with a ". Inside a " delimited string any character can
occur, except for a " itself, which must be quoted using \ (back slash)

1/ I see no limit to 255 expressed "MUST" as part of the RFCs.
2/ Assuming there is one, it is 255, but cpanel build the strings as follow:

Code:

"v=DKIM1\; k=rsa\; p=first" "second\;"

With "v=DKIM1\; k=rsa\; p=first" been 260 characters.
Trail the quotes, count is 258 characters still.
Trail the back-quote (wonder why btw), count is 256 characters still.
ALL those characters count exceed 255 if it is a limit ?!?.

cPanelMichael · Feb 2, 2016

doekia said:
humm, I feel really confused.

Could you verify if you are using a third-party DNS provider to add the DKIM records, and if so, the name of that provider?

Thank you.

havok89 · Mar 22, 2016

Has this been addressed yet?

I need to change the key length so that it fits with the limit on my DNS provider (fasthosts).

Just now the key is too long and like mentioned above it is broken with the quotation marks. the bit inside the quotation marks is 255 in length and would fit but I can't create the record with the second part after the split.

I can't find anything about how to change the key length, is it possible in cPanel, WHM or via SSH?

cPanelMichael · Mar 23, 2016

havok89 said:
I need to change the key length so that it fits with the limit on my DNS provider (fasthosts).

We are considering options on how to best handle remote DNS providers that are not accepting the correct DKIM format (We provide a format that meets RFC standards). It's discussed on this thread:

How to Enter DKIM record into DNS Zone

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
B	Can't paste full DKIM key in Zone Editor - Character limit issue?	Domain Management	4	Jul 25, 2021
S	DKIM selector entries for Office 365	Domain Management	2	Feb 12, 2019
E	DKIM records when clustered servers use MyDNS	Domain Management	1	Jun 18, 2018
J	SOLVED Can't add DKIM record	Domain Management	8	May 23, 2018
M	DKIM Core Key valid when checked but not when added to DNS	Domain Management	3	Nov 20, 2015

Search

Search

DKIM Key Length

sadwargamer

Registered

cPanelMichael

Administrator

sadwargamer

Registered

cPanelMichael

Administrator

sadwargamer

Registered

cPanelMichael

Administrator

Pablo1981

Registered

cPanelMichael

Administrator

dazeck

Well-Known Member

cPanelMichael

Administrator

dazeck

Well-Known Member

cPanelMichael

Administrator

JamasWise

Member

cPanelMichael

Administrator

doekia

Registered

cPanelMichael

Administrator

havok89

Registered

cPanelMichael

Administrator