DKIM Signing (not Working) - Clarification

Hello Lloyd Playfair ,

Thank you for reaching out to the community, may we know through which tool you generated the key ? You can generate the key using a key generator, such as PuttyGen or Windows OpenSSL. A private key can have 1024 to 2048 bits. Don’t use RSA SHA-1. If you use PuttyGen to generate a private key with 1024 bits, the firewall doesn't add it. You must generate the private key with 2048 bits if you're using PuttyGen.

For the reference: 

> How to generate RSA key pair using Windows OpenSSL
> How to generate RSA key pair using PuTTYgen
> DKIM Record check

Hi Vivek,

Thanks for the extra links/info, I got DKIM working, but as I mentioned, it was just a clarification for others, as similar to the German poster I spent a few hours trying to figure out why DKIM signing wasn't working. Sadly none of the linked documentation shows what the DKIM Signing, Private RSA key entry should look like in the GUI.  So I'll add my image below again for other users' clarification, in the hopes it will save them hours of troubleshooting.

I think the Private RSA key header confusion in my case was caused due to the fact the DKIM DNS TXT record doesn't require the -----BEGIN/END RSA PRIVATE KEY----- header/footer whereas the Sophos XG entry does require it. Also, I did use PuTTYgen initially but that was where I got the GUI error message about the key being 1024 or not being 2048 (can't remember 100% now, but I know I did generate the key with 2048 bits as documented) so I removed "header/footer" from the key and it was accepted by the GUI but then it didn't work/add the DKIM signing.

In the end, I used an online tool DKIM Record Generator - DKIM tools | EasyDMARC for the PRI/PUB keys as the PuTTYgen keys (generated the keys multiple times as I was trying to figure out what I was doing wrong) were still causing errors/no signing.

anyway, thanks again.

Thank you for your inputs Lloyd Playfair  !

Thank you for your inputs Lloyd Playfair  !