How to use DKIM version 13 or higher

Starting with version 13, NoSpamProxy generates two DKIM keys, one in RSA format and one EdDSA format (Edwards-Curve Digital Signature Algorithm). The RFC for this can be found at https://tools.ietf.org/html/rfc8463.

In the example the "key2018r" is in RSA format as before. The "key2018e" is new with version 13 and must be published in the DNS as well.

Upgrading to NoSpamProxy Version 13

After an upgrade to version 13 the EdDSA key is automatically generated in addition to the existing keys. The following incident is also displayed on the console home page "The DNS entry dkim.teste._domainkey.dkim.test ( My Domain ) is missing. Please create the DNS entry to solve this incident. We'll check the entry again in a few minutes."

Emails are considered valid as long as one of the applied DKIM keys has been successfully validated. It is unproblematic if the DKIM key is used in EdDSA format but has not yet been released. However, this should nevertheless be implemented promptly.

If an internal DNS server is configured for the Intranet Role that does not resolve to the Internet, the DKIM entries must also be created on this DNS server.

Creating a new key pair

Starting with version 13, greater encryption security (2048bit) is used for the RSA key, making the key larger than the 255 characters allowed in the DNS. To do this, the generated key must be correctly wrapped when it is included in the DNS. To do this, use the double quotation mark (") and wrap accordingly there, so that the first part contains less than 255 characters.

Generated key in NoSpamProxy (without wrap):

"v=DKIM1; k=rsa;

p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ

EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY

XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw

P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy

J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH6kQ+SEc

a0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6FpneHXCfAY6m

OI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEwsQymCGUu

GwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp4yS2urmT

/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92QIDAQAB"

Key to be used in DNS (with wrap)

"v=DKIM1; k=rsa;

p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ

EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY

XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw

P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy

J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH"

"6kQ+SEca0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6Fpne

HXCfAY6mOI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEw

sQymCGUuGwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp

4yS2urmT/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92Q

IDAQAB"

Backing up the DKIM keys

Before each update of the NoSpamProxy system to a new version, or during normal backups, the current DKIM key should be exported and backed up. The key can be exported under "Identities > DKIM Keys" and also imported again in case the system is restored.

NOTE: Some DKIM validation tools still produce an error with DKIM keys in the new EdDSA format because they expect only RSA formats. Recommended tools are e.g. MXToolBox https://mxtoolbox.com/dkim.aspx