I spent a lot of time searching for pages about DMARC and DKIM. I found a lot of conflicting information, a lack of information and so forth. But I did not find anything about needing to split up the keys this way. Of course my DKIM attempts simply failed and I had no idea why.
I think this information needs to be documented. -- Regards, Chris Bennett On Tuesday, October 14, 2025 at 08:17:13 AM PDT, Todd C. Miller <[email protected]> wrote: On Tue, 14 Oct 2025 17:07:48 +0200, Jan Stary wrote: > I am setting up DKIM for this domain - > the dkim signing itself seems to be working fine, > but recipients still fail my dkim, because > > dkim=fail reason="key not found in DNS" > > Indeed, my (updated) dns record does not contain the dkim TXT record, > as nsd(8) refuses to load it (see the failing zone file below), saying > > master/stare.cz:16: Invalid TXT in text > > The TXT content is exactly what is produced by the 'openssl rsa' command > in the opensmtpd-filter-dkimsign pkg-readme. > > It *seems* that nsd refuses it as too long: when I trim the TXT record > to exactly 256 bytes, nsd loads the zone file without complain (but that's > not the actual key of course); one byte more and it's an "invalid TXT". You need to split up the long TXT record into strings of 255 bytes or less. There are two ways to do this, see: https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns#255676 - todd
