Use of DKIM in version 13 or higher

Starting with version 13, NoSpamProxy generates two DKIM keys, one in RSA format and one in EdDSA format (Edwards-Curve Digital Signature Algorithm). The RFC for this can be found here: https://www.rfc-editor.org/rfc/rfc8463

In the example the “key2018r” is in RSA format, as it was before. The “key2018e” is new as of version 13 and must also be published in the DNS.

Upgrading to NoSpamProxy version 13

After upgrading to version 13, the EdDSA key is automatically generated in addition to the existing keys. The following incident is displayed on the console’s start page:

“The DNS entry dkim.teste._domainkey.dkim.test ( Own domain ) is missing. Please create the DNS entry to solve this issue. We’ll check again in a few minutes.”

Emails are considered valid as long as one of the applied DKIM keys has been successfully validated. It is therefore no problem if the new DKIM key is used in EdDSA format but has not yet been published. However, this should be implemented as soon as possible.

Please note: If the intranet role uses its own internal DNS server that does not perform external queries, all DKIM keys on this DNS server must also be published.

Creating a new key pair

Starting with version 13, improved encryption security (2048bit) is used for the RSA key, making the key larger than the 255 characters allowed in the DNS. To do this, the generated key must be correctly wrapped when it is included in the DNS. To do this, use the double quotation mark (“) and wrap it there so the first part contains less than 255 characters.

Generated key in NoSpamProxy (unwrapped)

dkimr._domainkey IN TXT ("v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY
XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw
P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy
J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH6kQ+SEc
a0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6FpneHXCfAY6m
OI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEwsQymCGUu
GwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp4yS2urmT
/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92QIDAQAB")

Key to use in DNS (wrapped)
dkimr._domainkey IN TXT ("v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY
XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw
P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy
J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH"
"6kQ+SEca0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6Fpne
HXCfAY6mOI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEw
sQymCGUuGwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp
4yS2urmT/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92Q
IDAQAB")

Backing up DKIM keys

Before upgrading NoSpamProxy to a new version, or for regular backups, the current DKIM key should be exported and backed up. The key can be exported under “People and Identities > DKIM Keys” and imported again if the system is restored.

Note

Some DKIM validation tools do not accept DKIM keys in the new EdDSA format, because they only expect RSA formats. Tools such as MXToolBox will accept the EdDSA format: https://mxtoolbox.com/dkim.aspx