Summary
Invalid RSA public key errors in DKIM records arise from a combination of factors. These include malformed keys due to base64 decoding issues (often from truncation or corruption during DNS insertion), incorrect DNS record syntax (extra spaces, typos), problems during key generation (incorrect parameters, buggy software), DNS limitations (character limits, propagation delays), key mismatches, revocation, incompatible OpenSSL versions, canonicalization issues, and incorrect selectors. Resolution involves careful DNS configuration, adherence to DKIM standards, consistent canonicalization, proper key management, regular testing, and using online DKIM checkers.
Key findings
- Base64 Decoding: Malformed keys can result from bad base64 decoding, often due to truncation or corruption during DNS insertion; odd number of characters in DNS.
- Copy/Paste Errors: Extra spaces, line breaks, or incorrect characters introduced during copy/pasting of DKIM records into DNS can break the key.
- DNS Syntax: Incorrect DNS record syntax, including extra spaces, typos, or incorrect characters, can lead to DKIM errors.
- Key Generation: Invalid RSA public keys can arise from incorrect parameters or buggy software used during key generation.
- RFC 6376: Failure to adhere strictly to the DKIM standard (RFC 6376) regarding syntax and formatting of the public key record causes parsing errors.
- Encoding Issues: Base64 encoding problems can corrupt DKIM keys, leading to validation failures.
- DNS Limits: DNS providers' character limits for TXT records can truncate DKIM keys, causing errors.
- OpenSSL: Incompatibility between OpenSSL versions used for key generation and validation results in errors.
- Propagation: DNS propagation delays can temporarily prevent DKIM records from being recognized.
- Key Mismatch: Mismatches between the public key in DNS and the private key used to sign emails cause DKIM to fail.
- Canonicalization: Inconsistent canonicalization algorithms during signing and verification processes trigger false negatives.
- Key Revoked/Expired: Revoked or expired DKIM keys result in validation failures.
- Incorrect Key Length: DKIM key is not 1024 bits or 2048 bits.
- Incorrect Selector: An incorrect DKIM selector can lead to validation failures.
Key considerations
- Cleaning Keys: Use a text editor to clean DKIM keys before pasting them into DNS to avoid introducing errors.
- Review Tooling: Verify parameters and test other software used for key generation.
- Review Encoding: Check encoding process to ensure no characters are corrupted during encoding/decoding.
- Provider Limit: If exceeding character limits split into multiple DNS records or move to a provider with higher limits.
- Check DNS Timing: Wait 24-48 hours after adding/modifying DKIM records before troubleshooting.
- Using DKIM Checker: Use online DKIM checkers to diagnose syntax errors and other issues.
- Ensure Testing: Conduct regular testing by sending test emails to various providers and checking headers for proper signing.
- Check Keys Active: Ensure the DKIM key is active and hasn't been intentionally revoked.
- Syntax Check: Carefully review DNS records for typos, extra spaces, and syntax errors, ensuring compliance with the DNS provider's requirements.
- OpenSSL Check: Upgrade OpenSSL or regenerate the key with a compatible version if version incompatibility is suspected between key generation and validation software.
- Key length: Verify the DKIM key length is 1024 or 2048
- Selector Check: Ensure that the selector in the email headers matches the selector in the DNS record.
What email marketers say
10 marketer opinions
Invalid RSA public key errors in DKIM records can stem from various sources, primarily related to key generation, DNS configuration, and key management. Key generation issues include using incorrect parameters or buggy software. DNS problems often arise from copy/paste errors, character limits, or DNS propagation delays. Key mismatches, revocation, or base64 encoding issues also contribute to validation failures. Regular testing, using online DKIM checkers, and verifying key length and syntax are crucial for resolving these errors.
Key opinions
- Cut/Paste Errors: Copying and pasting DKIM records into DNS can introduce errors like extra spaces, line breaks, or incorrect characters.
- Key Generation Issues: Invalid RSA public keys can result from incorrect parameters or buggy software used during key generation.
- Base64 Encoding: Problems with base64 encoding can corrupt DKIM keys, leading to validation failures.
- DNS Character Limits: Some DNS providers have character limits that can truncate DKIM keys, causing errors.
- DNS Propagation Delays: DNS propagation delays can temporarily prevent DKIM records from being recognized.
- Key Mismatches: Mismatches between the public key in DNS and the private key used to sign emails will cause DKIM to fail.
- Key Revocation: Revoked or expired DKIM keys result in validation failures.
Key considerations
- Careful Copy/Paste: Use a text editor to clean DKIM keys before pasting them into DNS to avoid introducing errors.
- Key Generation Tool: Verify parameters and test other software used for generation.
- Base64 Encoding Verification: Check the encoding process to ensure no characters are corrupted during encoding/decoding.
- DNS Provider Limits: If exceeding character limits split the key into multiple DNS records or move to a new provider with higher limits.
- Propagation Waiting Period: Wait 24-48 hours after adding/modifying DKIM records before troubleshooting.
- DKIM Checkers: Use online DKIM checkers to diagnose syntax errors and other issues.
- Regular Testing: Conduct regular testing by sending test emails to various providers and checking headers for proper signing.
- Active Key Status: Ensure the DKIM key is active and hasn't been intentionally revoked.
Marketer view
Email marketer from Reddit recommends careful copy/pasting of the DKIM record into DNS, because extra spaces, line breaks, or incorrect characters can easily be introduced. They advise using a text editor to clean up the key before pasting it into DNS.
2 Nov 2022 - Reddit
Marketer view
Email marketer from Stack Overflow suggests an invalid RSA public key can arise during the key generation process itself if the parameters are incorrect or if the software used for generation has bugs. They advise trying a different key generation tool or verifying the parameters used.
16 May 2022 - Stack Overflow
What the experts say
3 expert opinions
Invalid RSA public key errors in DKIM records can be caused by malformed keys due to bad base64 decoding (often from truncation or corruption during DNS management insertion), incorrect key lengths (keys shorter than 1024 or 2048 bits), or using the wrong selector (leading to validation failures). Troubleshooting involves verifying key length and ensuring the correct selector is used.
Key opinions
- Malformed Key: Bad base64 decoding can lead to a malformed key, often due to truncation or corruption during DNS insertion, with an odd number of characters in the DNS record.
- Incorrect Key Length: Using a key length that is not 1024 bits or 2048 bits can cause the key to be rejected.
- Incorrect Selector: An incorrect DKIM selector can lead to validation failures.
Key considerations
- Check Base64 Encoding: Ensure the base64 encoding is correct and that the key hasn't been truncated or corrupted during insertion into DNS.
- Verify Key Length: Confirm that the generated key length is either 1024 bits or 2048 bits.
- Double-Check Selector: Ensure that the selector in the email headers matches the selector in the DNS record.
Expert view
Expert from Word to the Wise explains that an incorrect key length can be an issue for DKIM. Standard key sizes are 1024 bits or 2048 bits; anything shorter is typically rejected. They suggests checking if the key was generated with the correct length.
24 Feb 2024 - Word to the Wise
Expert view
Expert from Email Geeks suggests a bad base64 decode indicates the DKIM key is malformed, possibly truncated or corrupted during DNS management insertion, noting the key in DNS is an odd number of characters long.
19 Aug 2021 - Email Geeks
What the documentation says
5 technical articles
Invalid RSA public key errors in DKIM records often arise from incorrect DNS record syntax, including typos, extra spaces, or incorrect characters, violating the DKIM standard (RFC 6376). Incompatibility between OpenSSL versions used for key generation and validation, as well as canonicalization issues during signing and verification, can also lead to errors. Strict adherence to DNS syntax rules, consistent canonicalization, and ensuring OpenSSL compatibility are crucial for resolution.
Key findings
- DNS Syntax Errors: Incorrect DNS record syntax, including extra spaces, typos, or incorrect characters, can lead to DKIM errors.
- RFC 6376 Violations: Failure to adhere strictly to the DKIM standard (RFC 6376) regarding syntax and formatting of the public key record can cause parsing errors.
- OpenSSL Incompatibility: Incompatibility between OpenSSL versions used for key generation and validation can result in errors.
- Canonicalization Issues: Inconsistent canonicalization algorithms during signing and verification processes can trigger false negatives.
Key considerations
- Review DNS Records: Carefully review DNS records for typos, extra spaces, and other syntax errors, ensuring compliance with the DNS provider's requirements.
- Adhere to RFC 6376: Strictly adhere to the DKIM standard (RFC 6376) for the public key record's syntax, including correct use of semicolons and tag-value pairs.
- Ensure OpenSSL Compatibility: Upgrade OpenSSL or regenerate the key with a compatible version if version incompatibility is suspected between key generation and validation software.
- Consistent Canonicalization: Ensure consistent canonicalization algorithms are used during both the signing and verification processes to prevent false negatives.
Technical article
Documentation from Google explains that strict adherence to DNS syntax rules is essential. For Google Workspace, they provide specific examples and guidelines for DKIM record formatting, which should be followed precisely.
11 Aug 2024 - Google
Technical article
Documentation from OpenSSL explains that if the version of OpenSSL used to generate the key is incompatible with the software validating it, errors can occur. Upgrading OpenSSL or regenerating the key with a compatible version is suggested.
14 Sep 2024 - OpenSSL
Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Can email signatures, especially via Exclaimer, cause SPF or DKIM failures and impact email delivery?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I fix DKIM failing body hash verification?
