Introduction
This document describes DomainKeys Identified Mail (DKIM) 2048 key length signature that has been created in the Email Security Appliance (ESA) and needs to be implemented in the Domain Name Server (DNS).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Domain Keys Signing Keys
- Domain Keys Signing Profiles
Components Used
This document is not restricted to specific software and hardware versions.
Background Information
When a signing key is created, you specify a key size. Larger key sizes are more secure; however, larger keys also can impact performance.
Once you have associated a Signing Key with a domain profile, you can create DNS text record which contains your public key. You do this via the Generate link in the DNS Text Record column in the domain profile column.
You can also view the public key via the View link on the Signing Keys page, as shown in the image.
Problem
DNS error "invalid tagname or tagvalue in DNS TXT record" or "invalid value for DNS TXT record" when the DKIM 2048 signature is generated in the ESA.
Validate the configuration from ESA.
Navigate to Mail Policies > Signing Profiles.
Solution
Verify these two options:
a) Selector typo:
The selector is an arbitrary string that is used in order to allow multiple DKIM DNS records for a given domain. A selector value and length must be legal in the DNS namespace and in email headers with the additional provision that they cannot contain a semicolon. Examples of selectors with namespaces:
san.mateo._domainkey.example.com boston._domainkey.example.com
b) Some DNS needs an extra line or configuration in order to accept this size:
Delete the quotes “” generated in the middle of the record when you upload the record on your DNS or add the record in the separate lines and remove the extra quotes.
Note: The ESA appliance supports keys from 512 bits up to 2048 bits. Validate your DNS provided.
Depends on the DNS provider, how the ESA presents the DKIM 2048 length signature and the DNS control panel interpretation of the record generates errors for the DKIM verification or the configuration within the TXT record.
Related Information
BJB failed to connect to BDB backend. Make sure you are connected to Cisco Internal Network. If you are connected please open BDB so the authentication cookies can be refreshed.
[close]