DKIM Signing (not Working) - Clarification

Question

As note by a German forum poster the DKIM Private Key needs to be inside the -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- annoyingly the GUI upload does certain checks (told me the key wasn't 2048 bits when I was using the wrong key) but happily accepts the key without the begin and end bits and in turn DKIM signing won't work until this is rectified . 
 e.g. 
 -----BEGIN RSA PRIVATE KEY----- sieufhpseiufdpisuoefhioesuhf ppeuifdhsepiufh ..... -----END RSA PRIVATE KEY-----

Lloyd Playfair · Accepted Answer

Hi Vivek, 
 Thanks for the extra links/info, I got DKIM working, but as I mentioned, it was just a clarification for others, as similar to the German poster I spent a few hours trying to figure out why DKIM signing wasn't working. Sadly none of the linked documentation shows what the DKIM Signing, Private RSA key entry should look like in the GUI. So I'll add my image below again for other users' clarification, in the hopes it will save them hours of troubleshooting. 
 I think the Private RSA key header confusion in my case was caused due to the fact the DKIM DNS TXT record doesn't require the -----BEGIN/END RSA PRIVATE KEY----- header/footer whereas the Sophos XG entry does require it. Also, I did use PuTTYgen initially but that was where I got the GUI error message about the key being 1024 or not being 2048 (can't remember 100% now, but I know I did generate the key with 2048 bits as documented) so I removed " header/footer" from the key and it was accepted by the GUI but then it didn't work/add the DKIM signing. 
 In the end, I used an online tool DKIM Record Generator - DKIM tools | EasyDMARC for the PRI/PUB keys as the PuTTYgen keys (generated the keys multiple times as I was trying to figure out what I was doing wrong) were still causing errors/no signing. 
 anyway, thanks again.

Vivek Jagad · Answer

Hello Lloyd Playfair ,

Thank you for reaching out to the community, may we know through which tool you generated the key ? You can generate the key using a key generator, such as PuttyGen or Windows OpenSSL. A private key can have 1024 to 2048 bits. Don’t use RSA SHA-1. If you use PuttyGen to generate a private key with 1024 bits, the firewall doesn't add it. You must generate the private key with 2048 bits if you're using PuttyGen.

For the reference:

> How to generate RSA key pair using Windows OpenSSL
> How to generate RSA key pair using PuTTYgen
> DKIM Record check

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.

DKIM Signing (not Working) - Clarification

Top Replies