When implementing DKIM with large RSA keys (2048-bit or longer), DNS administrators often encounter syntax limitations in BIND9 zone files. The 255-character limit per string segment requires special handling that isn't always compatible with mail transfer agents like Exim.
The problem manifests when:
2014-02-02 22:37:31 1WA5fP-0004Y4-E2 DKIM: d=middle.earth s=a9d04665528b593d263a6e5256648c99
c=relaxed/relaxed a=rsa-sha256 [invalid - syntax error in public key record]This error occurs because Exim receives the public key fragments as separate quoted strings rather than a single continuous string.
The correct way to format long DKIM records in BIND9 involves:
a9d04665528b593d263a6e5256648c99._domainkey IN TXT (
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2/Z"
"fhxSI/Abqgh0amM8ylrlosirWeKShUhq7fg12aYmRwOqq9hIzO0Fcz1BzfgHVu6HU"
"+rC5QoUK0JQK/nk4jwkDgvG2di2ZYmAvEbY/VeiK1x/TG0p1Iczr2k6Bj0gEAb/Y"
"GD2YbwrwAi4bDXwoPsYuuNn9TB3jjyWKu/dvOsqhff1/4Wc+FkOi0ClvgrXiklN2"
"8XTLjyjSyU794ntIoegXxrfwcwkhfPMvuqcnhfIC0Z8L71M4WR4SoHyNHVfBtNlU"
"vVNROiXlMxtxnNQvfViSwz6LC8bYIxeAba3hSXPTChKu3qZtfR0o3jFwEWAfLQdg"
"Ixler0jMEoAyJmfQIDAQAB")Use these commands to verify proper DNS propagation:
dig TXT a9d04665528b593d263a6e5256648c99._domainkey.example.com +shortThe output should show a single concatenated string without interior quotes.
Ensure your Exim DKIM verification configuration includes proper record handling:
dkim_verify_signers = *
dkim_verify_options = For systems where BIND9 concatenation causes issues:
1. Consider using shorter 1024-bit RSA keys
2. Implement DNS providers with automatic DKIM record handling
3. Use API-driven DNS services that manage long TXT records natively
When implementing DKIM with Exim4 mail servers, many administrators encounter difficulties with BIND9's handling of lengthy public key records. The key issue stems from DNS protocol limitations where individual string components in TXT records cannot exceed 255 characters.
Exim4 typically reports errors like:
2014-02-02 22:37:31 1WA5fP-0004Y4-E2 DKIM: d=middle.earth s=a9d04665528b593d263a6e5256648c99
c=relaxed/relaxed a=rsa-sha256 [invalid - syntax error in public key record]The correct way to format long DKIM records in BIND9 involves:
- Using parentheses for multi-line records
- Properly escaping quotation marks
- Maintaining consistent indentation
Here's the technically correct implementation:
a9d04665528b593d263a6e5256648c99._domainkey IN TXT (
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA"
"z2/ZfhxSI/Abqgh0amM8ylrlosirWeKShUhq7fg12aYmRwOqq9hIzO0Fcz1B"
"zfgHVu6HU++rC5QoUK0JQK/nk4jwkDgvG2di2ZYmAvEbY/VeiK1x/TG0p1Ic"
"zr2k6Bj0gEAb/YGD2YbwrwAi4bDXwoPsYuuNn9TB3jjyWKu/dvOsqhff1/4W"
"c+FkOi0ClvgrXiklN28XTLjyjSyU794ntIoegXxrfwcwkhfPMvuqcnhfIC0Z"
"8L71M4WR4SoHyNHVfBtNlUvVNROiXlMxtxnNQvfViSwz6LC8bYIxeAba3hSX"
"PTChKu3qZtfR0o3jFwEWAfLQdgIxler0jMEoAyJmfQIDAQAB")After updating your zone file, verify the record formatting with:
dig TXT a9d04665528b593d263a6e5256648c99._domainkey.yourdomain.com +shortThe output should show the complete key without artificial line breaks. For Exim4 specifically, test with:
exim -bV | grep DKIM
opendkim-testkey -d yourdomain.com -s selector -vvvIf you still encounter issues, consider these alternatives:
- Using shorter (1024-bit) keys for compatibility
- Implementing DNS record aggregation tools
- Using a DKIM key management service