How to Fix “TXT Record Too Long” Error When Adding DKIM Keys in AWS Route 53


3 views

When configuring DKIM authentication for your domain in AWS Route 53, you might encounter the frustrating "TXTRecordTooLong" error when trying to add your RSA public key. This occurs because:

1. Route 53 has a TXT record length limit of 255 characters per string segment
2. DKIM RSA keys frequently exceed 1024 characters
3. The entire DNS response (including all segments) must be under 4096 bytes

The error typically appears when pasting a complete DKIM record like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ...nwIDAQAB

Route 53 interprets this as a single string segment that exceeds 255 characters, triggering the error.

The correct approach is to split your DKIM record into multiple quoted strings, each under 255 characters:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX"
"U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy"
"XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs"
"o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c"
"eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ"
"e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA"
"nwIDAQAB"

For frequent DKIM management, consider this Python script to automatically format your key:

import textwrap

def format_dkim(dkim_key):
    segments = textwrap.wrap(dkim_key, width=250)
    return '"\n"'.join(segments)

dkim = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ..."
print(format_dkim(dkim))

When automating with infrastructure-as-code:

Resources:
  DKIMRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      Type: TXT
      TTL: "300"
      ResourceRecords:
        - !Sub |
          "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA"
          "wztXzIUqic95qSESmnqXU5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50A"
          "pwCTGLK9U7goo/ijX/wr5royXhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/"
          "lM6hla4B9jSph7QzjYdtWlOJqLRso0nzcut7DSq/xYcVqvrFDNbutCfG//0w"
          "cRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9ceEDfTT6pzIlqaK9cHGOsSCg4r0N8"
          "YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJe82VV7DE0uvKW/jquZYtgMn7"
          "+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EAnwIDAQAB"
      Name: selector1._domainkey.example.com.
      HostedZoneName: example.com.

After configuring:

1. Use dig or nslookup to verify proper segmentation:
   dig TXT selector1._domainkey.example.com

2. Test email authentication with tools like:
   - MXToolbox DKIM Checker
   - Mail-Tester.com

3. Consider rotating keys annually
4. Maintain proper IAM permissions for Route 53 updates

When trying to add a DKIM record in AWS Route 53 with a 2048-bit RSA public key, many developers encounter the frustrating TXTRDATATooLong error. The issue occurs because Route 53 has a strict limit of 255 characters per string segment in TXT records, while DKIM keys often exceed this length.

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX
U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy
XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs
o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c
eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ
e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA
nwIDAQAB"

The proper way to handle long DKIM records in Route 53 is to split them into multiple quoted strings within the same TXT record. Here's how the correct format should look:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX" 
"U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy" 
"XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs" 
"o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c" 
"eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ" 
"e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA" 
"nwIDAQAB"

For those managing DNS records programmatically, here's a Python script using Boto3 to properly format and upload DKIM records:

import boto3

def create_dkim_record(hosted_zone_id, domain_name, selector, key_parts):
    client = boto3.client('route53')
    
    # Join key parts with quotes
    dkim_value = ' '.join(f'"{part}"' for part in key_parts)
    
    response = client.change_resource_record_sets(
        HostedZoneId=hosted_zone_id,
        ChangeBatch={
            'Changes': [{
                'Action': 'UPSERT',
                'ResourceRecordSet': {
                    'Name': f'{selector}._domainkey.{domain_name}',
                    'Type': 'TXT',
                    'TTL': 300,
                    'ResourceRecords': [{'Value': dkim_value}]
                }
            }]
        }
    )
    return response

# Example usage:
key_parts = [
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX",
    "U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy",
    # ... remaining key parts
]

create_dkim_record(
    hosted_zone_id='Z1234567890',
    domain_name='example.com',
    selector='selector1',
    key_parts=key_parts
)

After setting up your DKIM record, use these commands to verify it's working correctly:

# Using dig
dig TXT selector1._domainkey.example.com +short

# Using nslookup
nslookup -type=TXT selector1._domainkey.example.com

# For comprehensive testing
python -c "import dkim; print(dkim.verify(message))"

Remember that DNS changes may take some time to propagate. If verification fails immediately, wait 5-10 minutes and try again.