DKIM keys

What is the right way to split DKIM keys?

DKIM keys
DMARC Report
What is the right way to split DKIM keys?
Loading
/

DNS limitations sometimes require splitting DKIM keys. Splitting keys helps ensure compatibility with DNS limitations, especially when dealing with long keys that offer stronger security. Usually, DKIM keys are split at the time of initial configuration if they exceed the DNS length limits. Most DNS providers impose a limit of 255 characters per line, so if your key exceeds this limit, it will fail to fit in the TXT record as a single string. 

Another reason why splitting DKIM keys is suggested is that if you try to insert a very long key without splitting it, a few DNS providers may truncate the data or produce errors. Splitting ensures that the entire key is intact and readable by DNS resolvers for validation. To enhance email security and prevent spoofing, it’s essential to properly configure DKIM by splitting long keys into manageable segments, ensuring they fit within DNS limitations and work seamlessly with SPF and DMARC for comprehensive email authentication.

DKIM keys

When to split DKIM keys?

Here are the cases in which you may need to split DKIM keys:

Using a 2048-bit or longer key

Any key shorter than 2048-bit is considered weak. So, if you also use a 2048-bit or longer key, you will have to split it as it surpasses DNS TXT record character limits.

If you receive an error from your DNS provider

If you have added a long key as a single string, there are high chances of errors. If your provider alerts you of character limitations or data truncation, splitting the key is not just necessary but urgent to prevent potential issues.

Testing reveals issues in the DKIM configuration

If DKIM lookup tools show problems setting up DKIM, there is a possibility of a truncated or incorrectly formatted key in your DNS. In such cases, splitting the key is encouraged.

email authentication

High-security needs in your domain’s email authentication

Organizations handling sensitive data or high-volume email traffic often require strong DKIM authentication to prevent spoofing. In such cases, using a longer key is essential, and splitting becomes part of the setup.

Steps to split DKIM keys

  • Step 1: Use a tool to generate a DKIM key pair. This will produce a private key (used by your mail server) and a public key (added to your DNS).
  • Step 2: Format the public key. A typical DKIM public key starts with v=DKIM1; k=rsa; p=, followed by a long string representing the public key. The key after p= can be very long, often exceeding DNS provider limits, so it must be split.
  • Step 3: Split the key by dividing the p= value into smaller chunks, making sure each chunk adheres to your DNS provider’s character limit. You can do this by cutting the key into segments at convenient points (avoid splitting in the middle of a character pair if possible).
  • Step 4: Place each chunk in quotation marks and add line breaks between each chunk in your DNS settings.
DKIM public key

Example:

v=DKIM1; k=rsa; p="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3/o5a/oFE""AXV6Y9WVB13eXdPd7RtyBLAtYj3UeS9fZ2YxNs6y0vUKF4rzL""jXpvlpclBG1QgDFe/lJkzW+mG/gFJLZf4BBSdjFhJxdyHb7Yp""ITm+m2EvLUuoOnYeYyU9lkUjiJBLRe0CRHsp7iKrmiU+AiFYk""MfuBAozv0QIDAQAB"

Each line here is within the character limits and enclosed in quotes. When saved, it should automatically reassemble into the full DKIM key for verification. 

DKIM verification
  • Step 5: Use a tool like dig or check your domain’s DKIM configuration using online checkers to ensure the key has been added correctly and is readable as a single, concatenated key.

Following these steps ensures your DKIM key fits within DNS limitations and remains effective for email authentication

Similar Posts