Unable to setup DKIM TXT-Value as DNS-Record

Question

I have a domain name which DNS is edited via Google Cloud DNS. And I have a Google Apps for Work Account with that domain name.

I wanted to set up DKIM-authentication but when I try to save the corresponding TXT-Record I get the error that the Tag is invalid.

I did the same before and it worked perfectly. I checked the old setup and I saw that the old DKIM-record was about half the length. The new one seems to be too long for a TXT-record in the Google Cloud Platform.

Does anyone have a solution?

did you manage the solve it? I am stacked at the same problem. — YahyaE, Apr 29 '16 at 09:23

score 36 · Accepted Answer · edited Jun 20 '20 at 09:12

yeah, you have to split the record as described in this article:

https://support.google.com/a/answer/173535

If your domain provider limits the size of the TXT record value to 255 characters, you can't enter the DKIM key as a single entry in the DNS records. In this case, split the key into multiple quoted text strings and enter them together in the TXT record value field. For example, split the DKIM key into two parts as follows:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAraC3pqvqTkAfXhUn7Kn3JUNMwDkZ65ftwXH58anno/bElnTDAd/idk8kWpslrQIMsvVKAe+mvmBEnpXzJL+0LgTNVTQctUujyilWvcONRd/z37I34y6WUIbFn4ytkzkdoVmeTt32f5LxegfYP4P/w7QGN1mOcnE2Qd5SKIZv3Ia1p9d6uCaVGI8brE/7zM5c/" "zMthVPE2WZKA28+QomQDH7ludLGhXGxpc7kZZCoB5lQiP0o07Ful33fcED73BS9Bt1SNhnrs5v7oq1pIab0LEtHsFHAZmGJDjybPA7OWWaV3L814r/JfU2NK1eNu9xYJwA8YW7WosL45CSkyp4QeQIDAQAB"

The two quoted strings have to stay on the same line - in the same box in the Cloud DNS interface rather than in two separate boxes.

I struggled to get this to work until I added the two separate quoted strings to the same line of "TXT data" without adding another item/line. The way you show it in your answer looks like you're saying that should be two TXT record items. Google Cloud DNS does something weird when you make separate records like that so it ends up not passing tests at mxtoolbox.com and dmarcanalyzer.com. After combining both quoted strings into one line separated by one space like `"v=DKIM1; k=rsa; p=MIIBI...M5c/" "zMt...QAB"` all in one single record, now it passes DKIM validation. — FlippingBinary, Dec 21 '19 at 17:20
Link to the correct article - https://support.google.com/a/answer/11613097 — tsb5555, Jan 31 '23 at 06:45

x bill · Answer 2 · 2016-05-02T15:58:43.450

11

I just ran into the same issue.

The google DKIM keys text strings are longer than most other DKIM keys (probably higher bit count) and won't fit into the 255 length limitation per TXT field.

The way to get around this is to do two TXT entries and end the first with a \ or use ( in the first and ) in the second.

The google cloud DNS parser seems to not allow a trialing \ and ) or preceding (.

There may be some way to escape it on the Google Cloud DNS tool - but it is not obvious.

Ok I have a solution.

Make sure to only do 1 TXT record entry and not add multiple TXT records - this is the key step.

If you click "Add Item" when setting up the TXT record this actually creates another TXT record and both records may resolve in any order and the DKIM won't validate.

The trick is to make sure to place the broken up strings into the first text input only and break them into small enough pieces that they all get parsed in the correct sequential order.

edited May 02 '16 at 15:58

answered Apr 25 '16 at 19:14

x bill

111
3

I have running the same problem but my string does not contain any `\\` or `(` to split from there. How can I do it? – YahyaE Apr 29 '16 at 09:24
1

The DKIM key goes in the regular TXT record data between the quotes " ". The \ or ( ) are special escape characters that need to be present in the DNS TXT RR entry outside the DKIM information to tell the DNS resolvers which order to glue the multiple TXT records together. These need to be added somehow - but the Google Cloud DNS front end doesn't seem to have a way to do it. – x bill Apr 29 '16 at 14:33
@xbill - A TXT record in DNS can have 1 or more strings, which are to be interpreted by clients as being concatenated together - they are entered and stored as distinct strings. You'd specify this in a BIND master file by using "string 1" "string 2" and the Cloud DNS API (and Cloud Console) accepts the same format. – Robert May 20 '16 at 15:38
3

The Google Cloud DNS interface is so confusing. You have to split the string with spaces, wrap them in double quotes, then paste all that into a SINGLE string within the UI. Then it works. Taken an hour to piece all this info together to get it working. Thanks for pointing me on the right direction. How anybody could figure this out before! – simbolo Dec 30 '17 at 20:44

score 2 · Answer 3 · answered Feb 18 '20 at 23:50

How to easily add DKIM as TXT in GCP Cloud DNS:

copy/paste the entire DKIM string into the TXT field
ignore the ...this domain has whitespace but is not a quoted string... related GCP warning you may see
before you save it, insert a single space in the middle of the DKIM p= value string.

That's it.

This approach was tested with Mailgun and a domain name configured in Google Cloud DNS.

Additional notes:

GCP will automatically add double quotes around each space separated string after you save
you need to separate the p= string in such a way so that no resulting double quoted string created after you save is longer than 255 characters

example (before):

k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlTtO1qRFaK955gz16Y8c1EMCqtaT4exCrwfor2yT438ZVjrUcqo2tPUNR4eqkD+xcKRQnWSw931uVUY6YJWtOrgrXTIrHnTkf5Xtg+jaXr0OhjdeVDIG/Le7oOVWncMf+9J4ZSRybOpb+XZPp/JLjis6pmCLrt5j82yBC9DCbsEPSOVVOC1mr5lq8irQs+qAv6M/DnjNcUrdiRBJyNrs2lfuvfs8BFceZAk1AwcVBcYCmZl5OkxZBn8liTC34FPJLLHm6jMp9+c0OaEtxo8zr3QX0ZYEWC3XqZ/p9fo4Pcg+fpyjee79wBVqUzhVAWdzE5+qAIn4e1Dmslyb6IX4mwIDAQAB

example (after):

k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlTtO1qRFaK955gz16Y8c1EMCqtaT4exCrwfor2yT438ZVjrUcqo2tPUNR4eqkD+xcKRQnWSw931uVUY6YJWtOrgrXTIrHnTkf5Xtg+jaXr0OhjdeVDIG/Le7oOVWncMf+9J4ZSRybOpb+XZPp/JLjis6pmCLrt5j82y BC9DCbsEPSOVVOC1mr5lq8irQs+qAv6M/DnjNcUrdiRBJyNrs2lfuvfs8BFceZAk1AwcVBcYCmZl5OkxZBn8liTC34FPJLLHm6jMp9+c0OaEtxo8zr3QX0ZYEWC3XqZ/p9fo4Pcg+fpyjee79wBVqUzhVAWdzE5+qAIn4e1Dmslyb6IX4mwIDAQAB

Scroll to the right and you'll see the newly added space - this produces three space separated strings, each less than 255 characters:

k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlTtO1qRFaK955gz16Y8c1EMCqtaT4exCrwfor2yT438ZVjrUcqo2tPUNR4eqkD+xcKRQnWSw931uVUY6YJWtOrgrXTIrHnTkf5Xtg+jaXr0OhjdeVDIG/Le7oOVWncMf+9J4ZSRybOpb+XZPp/JLjis6pmCLrt5j82y
BC9DCbsEPSOVVOC1mr5lq8irQs+qAv6M/DnjNcUrdiRBJyNrs2lfuvfs8BFceZAk1AwcVBcYCmZl5OkxZBn8liTC34FPJLLHm6jMp9+c0OaEtxo8zr3QX0ZYEWC3XqZ/p9fo4Pcg+fpyjee79wBVqUzhVAWdzE5+qAIn4e1Dmslyb6IX4mwIDAQAB

example (after, viewed via DIG):

;; ANSWER SECTION:
dkim.example.com.   300 IN  TXT "k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlTtO1qRFaK955gz16Y8c1EMCqtaT4exCrwfor2yT438ZVjrUcqo2tPUNR4eqkD+xcKRQnWSw931uVUY6YJWtOrgrXTIrHnTkf5Xtg+jaXr0OhjdeVDIG/Le7oOVWncMf+9J4ZSRybOpb+XZPp/JLjis6pmCLrt5j82y" "BC9DCbsEPSOVVOC1mr5lq8irQs+qAv6M/DnjNcUrdiRBJyNrs2lfuvfs8BFceZAk1AwcVBcYCmZl5OkxZBn8liTC34FPJLLHm6jMp9+c0OaEtxo8zr3QX0ZYEWC3XqZ/p9fo4Pcg+fpyjee79wBVqUzhVAWdzE5+qAIn4e1Dmslyb6IX4mwIDAQAB"

Ref: DKIM TXT record value invalid, cloud-dns-discuss group message

I read somewhere **this approach is not recommended** because what goes beyond 255 characters, which is the standard, is implementation dependant. Nowadays servers will join those strings, ending up with `v=DKIM1;k=rsa;p=MIIBIjA...` instead of `v=DKIM1; k=rsa; p=MIIBIjA...` which is invalid in some recipient servers. I'd recommend [FlippingBinary's approach](https://stackoverflow.com/questions/36688278/unable-to-setup-dkim-txt-value-as-dns-record/60291063#comment105060549_36951590) as explained above. — maganap, Apr 06 '20 at 12:04

score 2 · Answer 4 · answered Apr 20 '21 at 20:45

The solution that worked for me with Google Cloud DNS was to use the tool on this web page to "fix" the Mailgun provided DKIM string: https://www.mailhardener.com/tools/dns-record-splitter

More detail: How to enter TXT values in Google Cloud DNS https://www.mailhardener.com/blog/how-to-enter-txt-values-in-google-cloud-dns

score 1 · Answer 5 · answered Dec 18 '18 at 03:59

1

Select bit length "1024" while generating DKIM records at Gsuite Admin console. This worked for me.

answered Dec 18 '18 at 03:59

Piyush Upadhyay

19
1

score 0 · Answer 6 · answered Feb 09 '21 at 17:07

0

Just add first txt k=rsa; p=abc in DNS record and ignore warnings. then add the rest. This works for me. Tested on mailgun+Gcloud

answered Feb 09 '21 at 17:07

Muhammad Jamee Ghouri

79
1
4

Doesn't work for me using Mailgun provided values in Google Cloud DNS. Still fails to add record, complaining about "invalid characters". Mailgun says the DNS Name is supposed to be "k1._domainkey.mg.example.ch." My domain is a .ch like example.ch I wonder if Google is rejecting that? However other records added correctly but with just DNS name: ".example.ch." Mailgun doesn't give instructions for Google Cloud DNS. – phper Apr 10 '21 at 03:08

Unable to setup DKIM TXT-Value as DNS-Record

6 Answers6