How to use DKIM version 13 or higher

Starting with version 13, NoSpamProxy generates two DKIM keys, one in RSA format and one EdDSA format (Edwards-Curve Digital Signature Algorithm). The RFC for this can be found at https://tools.ietf.org/html/rfc8463.

In the example the "key2018r" is in RSA format as before. The "key2018e" is new with version 13 and must be published in the DNS as well.

The key length of the RSA key generated by NoSpamProxy is 1024 bits.

Upgrading to NoSpamProxy Version 13

After an upgrade to version 13 the EdDSA key is automatically generated in addition to the existing keys. The following incident is also displayed on the console home page "The DNS entry dkim.teste._domainkey.dkim.test ( My Domain ) is missing. Please create the DNS entry to solve this incident. We'll check the entry again in a few minutes."

Emails are considered valid as long as one of the applied DKIM keys has been successfully validated. It is unproblematic if the DKIM key is used in EdDSA format but has not yet been released. However, this should nevertheless be implemented promptly.

If an internal DNS server is configured for the Intranet Role that does not resolve to the Internet, the DKIM entries must also be created on this DNS server.

Backing up the DKIM keys

Before each update of the NoSpamProxy system to a new version, or during normal backups, the current DKIM key should be exported and backed up. The key can be exported under "Identities > DKIM Keys" and also imported again in case the system is restored.

NOTE: Some DKIM validation tools still produce an error with DKIM keys in the new EdDSA format because they expect only RSA formats. Recommended tools are e.g. MXToolBox https://mxtoolbox.com/dkim.aspx