Route 53 doesn't allow adding DKIM keys because length is too long

Question

Here is how I enter the value for DKIM key:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA nwIDAQAB"

There are no new lines in this value (I specifically copy pasted and tested it in a text editor). But for some reason I keep getting TXT is too long error:

TXTRDATATooLong encountered at "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA nwIDAQAB"

I really don't know what I should do to fix this issue.

Answer 1

See a similar issue in Route 53 forum:

Unfortunately the 255 character limit per string on TXT records is not a Route53 limit but rather one imposed by the DNS protocol itself. However, each TXT record can have multiple strings, each 255 characters long. You will need to split your DKIM into multiple strings for your TXT record. You can do this via the console by entering each string encapsulated in quotes, one string per line.

Important note: Do not use "one string per line" as the instructions say -- separate strings with a single space, eg. "foo" "bar" not "foo"\n"bar". Use DKIMValidator to validate the signature is being read correctly.

Answer 2

You can chop it up into chunks of quoted text with a max length of 255 per chunk. You don't have to make each chunk exact.

For example, if your value looks something like:

"v=DKIM1; k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza bcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabc"

You can chop it up at arbitrary places:

"v=DKIM1; k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz" "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzab" "cdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabc"

Note those are single spaces, not newlines, between each chunk!

Google's setup instructions, unsurprisingly, are terrible. I just wrote up a complete guide for how to do this on Route53.

Answer 3

DKIM on AWS Route53

You must split the DMARC record into 255 character parts. If you happen to host your DNS using AWS Route53, insert each part quoted with "..." into the record.

Do not use newlines to split the parts, because that would be separate TXT entries.

v=DKIM1; k=rsa; p=ABC123longkeypart1ABC123longkeypart2

becomes

"v=DKIM1; k=rsa; p=ABC123longkeypart1" "ABC123longkeypart2"

Using Terraform and Route53

When using Terraform to provision your Route53 records, you must split the DKIM-key into 255 max character parts as well.

Since Terraform takes care of quoting the TXT-entry, you must only provide quotes between each part, like so \"\".

v=DKIM1; k=rsa; p=ABC123longkeypart1ABC123longkeypart2

becomes

resource "aws_route53_record" "some_domain_dkim" {
  zone_id = "${aws_route53_zone.some_domain.zone_id}"
  name    = "google._domainkey.some_domain.com."
  type    = "TXT"
  ttl     = "3600"

  records = [
    "v=DKIM1; k=rsa; p=ABC123longkeypart1\"\"ABC123longkeypart2"
  ]
}

See also: https://www.terraform.io/docs/providers/aws/r/route53_record.html#records

Answer 4

You can simply select 1024 instead of 2048 and add this to route 53 at the time of generating the TXT in Google Apps

Answer 5

On AWS Route 53, create or edit the TXT record for DKIM and go for the "use wizard" option rather than the quick entry method. The record name should be default._domainkey.yourdomain.com (or apropos) and the record type TXT. You know all that already but the sticky bit is 256 character records.

In the record value box cut n paste "everything inside the parenthesis" output from sudo cat /etc/opendkim/keys/yourdomain.com/default.txt

Delete the quotes and place each quoted string in its own line unquoted and hit the submit button.

Go back and edit it and you will see the quotes have been put in. These quoted strings in quotes are on three separate lines causing multiple records rather than just one so edit the record value and replace the newline character with a space instead (the word wrap will make it appear the same but it is different in character when held in the zone record and for reasons beyond me, it appears as a single record splite into <256 char chunks rather than three separate records.

Thanks to Overbyrd above for pointing that out.

This is for quick n easy AWS entry putting a little more context incase I myself or others need to dig for info on AWS Route 53 DNS TXT DKIM EC2 256 character opendkim issues long record issues.

Answer 6

On Amazon lightsail, I had to enclose the separated texts in an additional quotes, such that:

"v=DKIM1;k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"

Becomes:

""v=DKIM1;k=rsa; p=abcdefghijklmnopqrstuvwxyz" "abcdefghijklmnopqrstuvwxyz""

Answer 7

Use this to split the dns txt record in 255 limit https://www.mailhardener.com/tools/dns-record-splitter

Just grab the text inside v=

"default._domainkey.blabla.app. 1   IN  TXT "v=DKIM1; k=rsa; p=asdfjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq9BqhK5AKY7d8aE3hEqUaqdth+0Vj9iCYUhl51iNonhJP84wVXvcZe5IRcIAGd7cLSs3nYfL/Nlp8NFIPiOmvjEp6DCVmUw5rQLwz876+umizg/Zg0LYgEUDo8od2YbBBAkNkrpWetaHf2AV+f5NeWio" "ocDMzS80pVuCdQVi/ONW5kJ1Oej/GqSfxg2aFXSN3F06GoyAJ38tCGgGGFJHJWJjP1mIQJGXJ46RsQxM2AKm42KDkROKU3YNjQMXmADwXLHKfr8bRzEUPCcf9zPj8FIpJDspFAiXpTxgOG5w5IlP04v5XjPfoyr+c1A71e1fYaYBpJ4+P6KnZdzcWbvGIQIDAQAB;""

eg.

"v=DKIM1; k=rsa; p=asdfjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq9BqhK5AKY7d8aE3hEqUaqdth+0Vj9iCYUhl51iNonhJP84wVXvcZe5IRcIAGd7cLSs3nYfL/Nlp8NFIPiOmvjEp6DCVmUw5rQLwz876+umizg/Zg0LYgEUDo8od2YbBBAkNkrpWetaHf2AV+f5NeWio" "ocDMzS80pVuCdQVi/ONW5kJ1Oej/GqSfxg2aFXSN3F06GoyAJ38tCGgGGFJHJWJjP1mIQJGXJ46RsQxM2AKm42KDkROKU3YNjQMXmADwXLHKfr8bRzEUPCcf9zPj8FIpJDspFAiXpTxgOG5w5IlP04v5XjPfoyr+c1A71e1fYaYBpJ4+P6KnZdzcWbvGIQIDAQAB;"

Answer 8

The is how I got 2048 bit dkim to work on AWS route 53. Initially it was this and it failed

"v=DKIM1; k=rsa;" "p=MII...EndofKeyOne" "4tOt...EndofKeyTwo"

This is what worked below:

"v=DKIM1; k=rsa; p=" "MII...EndofKeyOne" "4tOt...EndofKeyTwo"

Note: (1) It just single space that separated the double quotes of key one from key two, not line separation. (2) The first key started on the new line with the double quote sign ( I assumed it could have still start on the same with v & k specifications and would still have work). (3) That p tag (public key tag) was inserted in the open & close double quotes that start the value i.e "v=DKIM1; k=rsa; p=" (4) The point 3 above is actually the missing puzzle that get the configuration done.

Answer 9

Lightsail DNS is now: "" and "" around the whole entry, then "..." around chunks less than 256, then a single new line between each chunk.

"""k=rsa; p=kldsjlk...."
"kljkldasfdslk..."""

Answer 10

2025 - AWS Route53

Simply split the value with "" for obtain 3 parts

For example:

Original value example:

"abcdefghijklmnopqrstuvwxyz"

Split value but on the same line and without spaces

"abcdefgh""ijklmnopq""rstuvwxyz"

It should works!