May 1, 2012
tom

dkim-testkey return keys do not match after key’s creation

Question

as in the title I am struggling with the creation of the dkim key.
For key creation I use these commands

openssl genrsa -out s1024.private 1024
openssl rsa -in s1024.private -out s1024.public -pubout -outform PEM

In this way I got the public and private keys.
After that I put the private key in /etc/dkim/ dir
and I make the test about the key in this way

dkim-testkey -d hostname -s s1024 -k /etc/dkim/s1024.private

the parameters means

  • -d is related to the domain
  • -s is the selector is the config file in this case is s1024
  • -k is the key to match

and the result is this one

dkim-testkey: keys do not match

How is possibile?
I have done the same procedure on another 60 different servers and everything was fine.
And of course the other 60 servers are cloned from the same debian image.
I also tried to uninstall and reinstall the dkim package but still nothing.

So any idea about why?

Asked by marcodv

Answer

My reading of the man page indicates the verifier will use DNS to lookup the public key. Add a new selector for your new key to DNS. Do not reuse your existing selector for the new key. If you don’t need ongoing verifiability, you can schedule deletion of the current selector at a future date (at least a week or so after the switch).

Don’t start using the new key until it is published and the verifier tool reports you have correctly setup the DNS records. Unfortunately, a high percentage of the DKIM email I receive is missing the support DNS data.

See my article on Implementing DKIM with Exim for detail on selector management.

Answered by BillThor

No related posts.

Leave a comment