Troubleshoot "invalid tagname or tagvalue in DNS TXT record" or "invalid value for DNS TXT record" in ESA

Available Languages

Download Options

  • PDF     (51.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (133.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (106.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 31, 2020
Document ID:216082

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes DomainKeys Identified Mail (DKIM) 2048 key length signature that has been created in the Email Security Appliance (ESA) and needs to be implemented in the Domain Name Server (DNS).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Domain Keys Signing Keys
    • Domain Keys Signing Profiles

    Components Used

    This document is not restricted to specific software and hardware versions.

    Background Information

    When a signing key is created, you specify a key size. Larger key sizes are more secure; however, larger keys also can impact performance.

    Once you have associated a Signing Key with a domain profile, you can create DNS text record which contains your public key. You do this via the Generate link in the DNS Text Record column in the domain profile column.

    You can also view the public key via the View link on the Signing Keys page, as shown in the image.

    Problem

    DNS error "invalid tagname or tagvalue in DNS TXT record" or "invalid value for DNS TXT record" when the DKIM 2048 signature is generated in the ESA.

    Validate the configuration from ESA.

    Navigate to Mail Policies > Signing Profiles.

    Solution

    Verify these two options:

    a) Selector typo:

    The selector is an arbitrary string that is used in order to allow multiple DKIM DNS records for a given domain. A selector value and length must be legal in the DNS namespace and in email headers with the additional provision that they cannot contain a semicolon. Examples of selectors with namespaces:

    san.mateo._domainkey.example.com boston._domainkey.example.com

    b) Some DNS needs an extra line or configuration in order to accept this size:

    Delete the quotes “” generated in the middle of the record when you upload the record on your DNS or add the record in the separate lines and remove the extra quotes.

    Note: The ESA appliance supports keys from 512 bits up to 2048 bits. Validate your DNS provided.

    Depends on the DNS provider, how the ESA presents the DKIM 2048 length signature and the DNS control panel interpretation of the record generates errors for the DKIM verification or the configuration within the TXT record.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    27-Sep-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Erika Valverde

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco