I added a custom DKIM key to my MiaB server a few weeks back, so that I could get it to work with my DNS that only supports 1024-bit keys. See https://discourse.mailinabox.email/t/dkim-signature-header-exists-but-is-not-valid/1968/5?u=alexweissman.
It was working great, but then people started complaining to me that messages had been going into spam again. I checked my DKIM config to make sure that I wasn't going crazy, and I noticed that KeyTable didn't have the correct path to my custom DKIM key (despite the fact that I am _sure_ I correctly set it, originally).
Upon digging into the source, it looks like MiaB overwrites KeyTable whenever do_dns_update is called. I would propose one of two solutions:
KeyTable when new domains are added;KeyTable.You may be right, but it seems like a lot of extra coding to take a step backwards in the long run. Are you using AWS Route 53 by chance? If so, check this https://github.com/mail-in-a-box/mailinabox/issues/1152 and it seems other DNS have similar work arounds, for example this symantec article offers a similar solution for use on windows DNS server: https://support.symantec.com/en_US/article.TECH123082.html
I'm using Namecheap. I've tried the technique of splitting up the key into multiple parts, but that didn't work either - they simply do not support 2048-bit keys!
I can confirm about Namecheap only using 1024 bit keys. See here:
I also tried several ways of using a 2048 bit key, but they have a limit on the length of a txt record, and quietly truncate any record longer than a certain length after submitting it. Took me a bit to realize why it wasn't working....
Assuming Namecheap is the only DNS server you are using for your MiaB served domains, you can fix this by editing setup/dkim.sh.
Relevant code on lines 49-51:
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
fi
@myfirstnameispaul it's been a while since I've looked at this - would I need to delete the old 2048-bit key to get this to trigger?
@alexweissman Correct, if it sees mail/dkim/mail.private, then it will not generate new keys. Technically, you don't need to delete, just not have a file at that location.
Have you been able to determine when setup/dkim.sh is actually run? I've been tinkering with modifying my dns_update.py, but I can't get it to even do something as simple as write to a log file. So, I'm starting to suspect that it's not getting executed and that something else (perhaps dkim/sh) is responsible for altering my KeyTable instead.
@alexweissman You need to run the full setup - it seems to be designed to only change things not already configured (sorry, don't recall specific file at this moment).
Thanks! I actually ended up setting up a primary DNS with Cloudflare, which does accept the 2048-bit keys.
Most helpful comment
I can confirm about Namecheap only using 1024 bit keys. See here:
https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain
I also tried several ways of using a 2048 bit key, but they have a limit on the length of a txt record, and quietly truncate any record longer than a certain length after submitting it. Took me a bit to realize why it wasn't working....