The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DKIM Key Length

Discussion in 'Bind / DNS / Nameserver Issues' started by sadwargamer, Jul 21, 2015.

Thread Status:
Not open for further replies.
  1. sadwargamer

    sadwargamer Registered

    Joined:
    Jul 5, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    The DKIM key created is too long for the TXT entry field (limit 255 characters) - I understand that the latest version of cpanel uses 2048 key whereas a 1024 key from previous versions genertaed a key of 255 charcters or less.

    As I cannot add a long TXT record can someone let me know who I can force WHM/Cpanel to use 1024 key size so I can create correct TXT entries.

    Regards
    Andy
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. sadwargamer

    sadwargamer Registered

    Joined:
    Jul 5, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Yes I am on 11.50 but all new domains are created with the 2048 key - how can I change this to the 1024 key please.

    thanks.

    regards
    andy
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you verify why you can't add the long TXT record? For instance, do you mean you are adding it somewhere other than cPanel where the DNS is hosted? It should not be an issue adding it through cPanel.

    Thank you.
     
  5. sadwargamer

    sadwargamer Registered

    Joined:
    Jul 5, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I need to add the DKIM as a TX record with my DNS provider and they do not support (currently) more than 255 characters otherwise of course I woudl use 2048...

    I cannot be the only one in the world in this position :(
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello:)

    Internal case CPANEL-794 is open to address the improper handling of quotes and data length for TXT records (DKIM). You can monitor our change logs to see when this case has been resolved:

    cPanel - Change Logs

    Thank you.
     
  7. Pablo1981

    Pablo1981 Registered

    Joined:
    Oct 2, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucaramanga, Colombia
    cPanel Access Level:
    Root Administrator
    Has this been fixed yet?
    I did not find the case in the logs!
    This is urgent since it affects email!
    Thanks
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Internal case CPANEL-794 has not yet been released, but I do see activity on this case as recent as a few days ago. There's currently no exact time frame I can provide on when a resolution will be implemented, but please feel free to monitor our change log for the case number.

    Thank you.
     
  9. dazeck

    dazeck Well-Known Member

    Joined:
    Jul 19, 2014
    Messages:
    57
    Likes Received:
    9
    Trophy Points:
    8
    Location:
    England
    cPanel Access Level:
    Root Administrator
    Sorry to bump this thread, but I am having an issue with DKIM and I think it's due to this case number 794. Are we any closer to getting this resolved ? If not, how can we manually generate dkim and get email signing working. My old keys all work fine, but keys generated recently are failing and its for a new customer.

    I get this when testing with verifier.port25.com

    DKIM check details:
    ----------------------------------------------------------
    Result: fail (signature doesn't verify)
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you verify if you have checked any alternate testing websites? You can also verify if the record appears with a command such as:

    Code:
    dig txt default._domainkey.domain.com @ns1.nameserver.com
    Thank you.
     
  11. dazeck

    dazeck Well-Known Member

    Joined:
    Jul 19, 2014
    Messages:
    57
    Likes Received:
    9
    Trophy Points:
    8
    Location:
    England
    cPanel Access Level:
    Root Administrator
    This appears to have rectified itself once I had logged a support ticket, typical. To get around this whilst waiting for the support team (the time difference doesn't help), I had to manually generate the keys. The following day, when disabled and re-enabled the DKIM setting against the account and checked using verifier.port25.com it verified ok. I have no idea why it wouldn't work one day then started to work the next.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I am happy to see the issue is now resolved. In general, it's a good idea to check via the "dig" command because third-party websites may use cached or incorrect methods of verifying the record.

    Thank you.
     
  13. JamasWise

    JamasWise Member

    Joined:
    Jun 18, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    If you are using Cloudflare, I finally found a work around. This might work for other DNS systems.

    When cpanel displays the new longer keys on the email authentication screen it does so in the format that DNS system would do to maintain the 255 character limit of the TXT field. It does this by adding a quote " and space before the next part of the key. If you are pasting this into Cloudflare then strip out all the quotes and the space. Cloudflare when serving the record will split it. But if you paste it in split then it won't resolve correctly.

    Hope this helps others.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  15. doekia

    doekia Registered

    Joined:
    Dec 20, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    my place
    cPanel Access Level:
    Website Owner
    humm, I feel really confused.

    RFC-4408 - 3.1.3
    RFC-1035 - 3.3
    RFC-1035 - 3.3.14
    RFC-1035 - 5.1
    1/ I see no limit to 255 expressed "MUST" as part of the RFCs.
    2/ Assuming there is one, it is 255, but cpanel build the strings as follow:
    Code:
    "v=DKIM1\; k=rsa\; p=first" "second\;"
    With "v=DKIM1\; k=rsa\; p=first" been 260 characters.
    Trail the quotes, count is 258 characters still.
    Trail the back-quote (wonder why btw), count is 256 characters still.
    ALL those characters count exceed 255 if it is a limit ?!?.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you verify if you are using a third-party DNS provider to add the DKIM records, and if so, the name of that provider?

    Thank you.
     
  17. havok89

    havok89 Registered

    Joined:
    Mar 22, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Glasgow
    cPanel Access Level:
    Root Administrator
    Has this been addressed yet?

    I need to change the key length so that it fits with the limit on my DNS provider (fasthosts).

    Just now the key is too long and like mentioned above it is broken with the quotation marks. the bit inside the quotation marks is 255 in length and would fit but I can't create the record with the second part after the split.

    I can't find anything about how to change the key length, is it possible in cPanel, WHM or via SSH?
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    We are considering options on how to best handle remote DNS providers that are not accepting the correct DKIM format (We provide a format that meets RFC standards). It's discussed on this thread:

    How to Enter DKIM record into DNS Zone

    Thank you.
     
    Solokron likes this.
Loading...
Thread Status:
Not open for further replies.

Share This Page