Phone Lines icon GFI Support Home

Articles in this section

See more

Long DKIM public key is not found in DNS records

Author: Vladyslav Velychko Updated

Overview

While trying to configure DKIM public key in Kerio Connect installed on macOS, it produces the following error:

DKIM public key for domain.com was not found in the DNS record

dkim.png

The following entry is generated in the logs:

Mail 5ece7e63-00001c32 won't be signed by DKIM because DNS record is invalid for domain domain.com.

Further, running dig command the DKIM record returns different results for local Kerio Connect installation and from an outside network PC:

  1. On the Kerio Connect server
    dig +short mail._domainkey.domain.com TXT
    "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvL1rcnn9rXG7h7A48tEPVIrC+ZT37vYy7eXwduOYFCOtvWkd1V6Zp3kJMBAA49GEuYN6LUlJNEEpxx7N4/kR/NAhSlcum61Kbe2Eo2xxficcsGCP3QoymKr/rqg/RDmfw2V51Jqgm0qbmJPlnkfCgKe4D43ut1eieQVraqBSP7nazZgSebtVGotI4VKQb0qB4MFNjunFD" "xRj2Cp9ZAK/wms83z+gNzo8hSGaiJovRNG2MUhSttXUOKCOe1JIBWXHnD+y+9AmumJfp1zmivP9zdPNmaJXfgxF1XphcxSU+ngIzIU8TLy8N8Wvr0Knr94BBOO2UewjChSIMllYfnWTSwIDAQAQ"
  2. On the outside (external network) PC
    dig +short mail._domainkey.domain.com TXT
    <No output>

The DKIM record contains a long string, over 255 characters. Note the "" in the middle of the string. For DNS entries BIND requires any strings longer than 255 characters to be split with quotes.

Solution

Local DNS needs to be set up for the DKIM record, together with an alias. The DKIM needs to be broken up, the position is not critical.

If you use a BIND DNS server, you can split the original Kerio Connect DKIM public key (TXT value) by using the following format: TXT ("part 1" "part 2" ... "part x")

Consider this example:

TXT ("v=DKIM1;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfl0chtL4siFYCrSPxw43fqc4z" "Oo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeooliRd7SXIhKpXkgkwn" "AB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1HWKleP13UXCD8macUEb" "bcBhthrnETKoCg8wOwIDAQAB")

The alias needed to be entered as a TXT record with the same selector "mail._domainkey" with the alias following - mail._domainkey.mg.domain.com.

Testing

Run dig command from the Kerio Connect server and external network PC. Both outputs should be the same.

Information

Adding DKIM and DMARC Records to Kerio Connect

Configuring DNS for DKIM in Kerio Connect

Related articles