[SOLVED] Multiple DKIM

dthompson

Well-Known Member
Nov 23, 2011
146
14
58
Canada
www.digitaltransitions.ca
Hi all,

I am looking to see if there is a way to add multiple dkim records on the PMG server. I have one rolled out that I use for customers that is 2048 in length. The problem is a new customers DNS only allows for a maximum of 255 characters which as far as I can tell is a 1024 length key. Please someone correct me if I am wrong.

Since our existing key is longer than the allowed characters in the DNS of their hosting company, I am looking for a workaround where I can create and attach it to sign on just that one domain for them.

I do not want to roll out 1024 for all customers and have to have them modify their DKIM records as I think it will be too much of a pain to do.

Thanks,
 
Last edited:
Currently PMG supports only one active key/selector per installation.

The easiest workaround would be to install a second PMG for those domains, which only support short keys
 
one further workaround would be to do the signing for some domains outside of PMG and don't add them to the DKIM domains...

In any case - please mark the thread as 'SOLVED" - this helps others with similar questions

Thanks!
 
I want to add to this as well. I have found an even better way for this for anyone who is running into this issue with DNS platforms that don't support more than 255 charachters.

What you can do is create a CNAME for the record and your domain: mail._domainkey.FQDN.COM to domainkey.FQDN1.COM

So for instance, I need to add a DKIM record to the domain: abcorp.com but it only allows for 255 characters in the DNS.
I don't want to change the DKIM record on the PMG Server, so I add the following on the domain that hosts the DKIM record: defcorp.com

Domain that hosts the DKIM record: defcorp.com
Domain key and selector: mail._domainkey

In the DNS, add in the following:
domainkey.defcorp.com. IN CNAME mail._domainkey.abcorp.com.

On the domain that needs to add the record but cannot, add in the following record:
mail._domainkey.abcorp.com. IN CNAME domainkey.defcorp.com.

This will allow it to lookup the domain and use the record that we sign on the outgoing PMG server. It actually makes it much easier to add records on the DNS Server and allows us to still maintain and utilize the existing 2048 (or higher) Bit record even when the hosting service platform doesn't support it.

Running dig should give you something similar to:

dig txt mail._domainkey.abcorp.com @8.8.8.8

;; ANSWER SECTION:
mail._domainkey.abcorp.com. 299 IN CNAME domainkey.defcorp.com
domainkey.defcorp.com 29 IN CNAME mail._domainkey.defcorp.com.

mail._domainkey.defcorp.com. 29 IN TXT "v=DKIM1; h=sha256; k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5SBUs5DW/j2WCFG5gVD/SESSDFGHxmSJDWh6IztqfQB3kQIZC6+1Y/7jYJm3w2BbpQE12oNQfjmKDaE/1iX/7BFacpxoRYGuZOR+c2YNO2pgc//E2Sm8vEp8qKI0byCARgeyyh+9dqY+HI4yZxoePHQmgW9WzHskevxG6WJwSdO4e5K7JebsHfIL+fYk8mq5KSJ+ZCpoR6mWaP+z6v86" "7IosHupjzbXbfv0iJh8OuikVtn84ypquaYDJZfZvqYmTAs5y9QN68BvRMo0479ddXIw5ET0ViEDoF2q9jdYMJZDbTWXfx7TYEV5BXp9IF0j38+JO3XkMVVD/DYV2xm/73cPv4XbQIDAQAB"

You could add the CNAME as follows as well:

mail._domainkey.defcorp.com. IN CNAME mail._domainkey.abcorp.com.

Either works (CNAME) and it cleans up the DNS and doesn't clutter it all with the cert string.
Hopefully this helps out others running into this exact issue as well.
 
Thanks for sharing the CNAME workaround - this seems indeed like a good way to deal with this situation!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!