Suped

What causes invalid RSA public key errors in DKIM records and how can I fix it?

10 Marketer opinions3 Expert opinions5 Technical articles4 Resources

Summary

Invalid RSA public key errors in DKIM records arise from a combination of factors. These include malformed keys due to base64 decoding issues (often from truncation or corruption during DNS insertion), incorrect DNS record syntax (extra spaces, typos), problems during key generation (incorrect parameters, buggy software), DNS limitations (character limits, propagation delays), key mismatches, revocation, incompatible OpenSSL versions, canonicalization issues, and incorrect selectors. Resolution involves careful DNS configuration, adherence to DKIM standards, consistent canonicalization, proper key management, regular testing, and using online DKIM checkers.

Key findings

  • Base64 Decoding: Malformed keys can result from bad base64 decoding, often due to truncation or corruption during DNS insertion; odd number of characters in DNS.
  • Copy/Paste Errors: Extra spaces, line breaks, or incorrect characters introduced during copy/pasting of DKIM records into DNS can break the key.
  • DNS Syntax: Incorrect DNS record syntax, including extra spaces, typos, or incorrect characters, can lead to DKIM errors.
  • Key Generation: Invalid RSA public keys can arise from incorrect parameters or buggy software used during key generation.
  • RFC 6376: Failure to adhere strictly to the DKIM standard (RFC 6376) regarding syntax and formatting of the public key record causes parsing errors.
  • Encoding Issues: Base64 encoding problems can corrupt DKIM keys, leading to validation failures.
  • DNS Limits: DNS providers' character limits for TXT records can truncate DKIM keys, causing errors.
  • OpenSSL: Incompatibility between OpenSSL versions used for key generation and validation results in errors.
  • Propagation: DNS propagation delays can temporarily prevent DKIM records from being recognized.
  • Key Mismatch: Mismatches between the public key in DNS and the private key used to sign emails cause DKIM to fail.
  • Canonicalization: Inconsistent canonicalization algorithms during signing and verification processes trigger false negatives.
  • Key Revoked/Expired: Revoked or expired DKIM keys result in validation failures.
  • Incorrect Key Length: DKIM key is not 1024 bits or 2048 bits.
  • Incorrect Selector: An incorrect DKIM selector can lead to validation failures.

Key considerations

  • Cleaning Keys: Use a text editor to clean DKIM keys before pasting them into DNS to avoid introducing errors.
  • Review Tooling: Verify parameters and test other software used for key generation.
  • Review Encoding: Check encoding process to ensure no characters are corrupted during encoding/decoding.
  • Provider Limit: If exceeding character limits split into multiple DNS records or move to a provider with higher limits.
  • Check DNS Timing: Wait 24-48 hours after adding/modifying DKIM records before troubleshooting.
  • Using DKIM Checker: Use online DKIM checkers to diagnose syntax errors and other issues.
  • Ensure Testing: Conduct regular testing by sending test emails to various providers and checking headers for proper signing.
  • Check Keys Active: Ensure the DKIM key is active and hasn't been intentionally revoked.
  • Syntax Check: Carefully review DNS records for typos, extra spaces, and syntax errors, ensuring compliance with the DNS provider's requirements.
  • OpenSSL Check: Upgrade OpenSSL or regenerate the key with a compatible version if version incompatibility is suspected between key generation and validation software.
  • Key length: Verify the DKIM key length is 1024 or 2048
  • Selector Check: Ensure that the selector in the email headers matches the selector in the DNS record.

What email marketers say
10Marketer opinions

Invalid RSA public key errors in DKIM records can stem from various sources, primarily related to key generation, DNS configuration, and key management. Key generation issues include using incorrect parameters or buggy software. DNS problems often arise from copy/paste errors, character limits, or DNS propagation delays. Key mismatches, revocation, or base64 encoding issues also contribute to validation failures. Regular testing, using online DKIM checkers, and verifying key length and syntax are crucial for resolving these errors.

Key opinions

  • Cut/Paste Errors: Copying and pasting DKIM records into DNS can introduce errors like extra spaces, line breaks, or incorrect characters.
  • Key Generation Issues: Invalid RSA public keys can result from incorrect parameters or buggy software used during key generation.
  • Base64 Encoding: Problems with base64 encoding can corrupt DKIM keys, leading to validation failures.
  • DNS Character Limits: Some DNS providers have character limits that can truncate DKIM keys, causing errors.
  • DNS Propagation Delays: DNS propagation delays can temporarily prevent DKIM records from being recognized.
  • Key Mismatches: Mismatches between the public key in DNS and the private key used to sign emails will cause DKIM to fail.
  • Key Revocation: Revoked or expired DKIM keys result in validation failures.

Key considerations

  • Careful Copy/Paste: Use a text editor to clean DKIM keys before pasting them into DNS to avoid introducing errors.
  • Key Generation Tool: Verify parameters and test other software used for generation.
  • Base64 Encoding Verification: Check the encoding process to ensure no characters are corrupted during encoding/decoding.
  • DNS Provider Limits: If exceeding character limits split the key into multiple DNS records or move to a new provider with higher limits.
  • Propagation Waiting Period: Wait 24-48 hours after adding/modifying DKIM records before troubleshooting.
  • DKIM Checkers: Use online DKIM checkers to diagnose syntax errors and other issues.
  • Regular Testing: Conduct regular testing by sending test emails to various providers and checking headers for proper signing.
  • Active Key Status: Ensure the DKIM key is active and hasn't been intentionally revoked.
Marketer view

Email marketer from Reddit recommends careful copy/pasting of the DKIM record into DNS, because extra spaces, line breaks, or incorrect characters can easily be introduced. They advise using a text editor to clean up the key before pasting it into DNS.

October 2024 - Reddit
Marketer view

Email marketer from Stack Overflow suggests an invalid RSA public key can arise during the key generation process itself if the parameters are incorrect or if the software used for generation has bugs. They advise trying a different key generation tool or verifying the parameters used.

June 2021 - Stack Overflow
Marketer view

Email marketer from Server Fault explains key mismatches are where the public key in the DNS record doesn't match the private key used to sign emails. They suggest verifying you're using the correct key pair and that no modifications have occurred during key transfer.

November 2024 - Server Fault
Marketer view

Email marketer from MXToolbox recommends using online DKIM checkers to diagnose issues. These tools can identify syntax errors, key mismatches, and other common problems.

November 2021 - MXToolbox
Marketer view

Email marketer from Mailhardener advises DNS propagation delays can cause temporary errors. They say waiting 24-48 hours after adding/modifying the DKIM record before troubleshooting can resolve the issue.

January 2024 - Mailhardener
Marketer view

Email marketer from Email Geeks shares experiences of DKIM cut/paste errors introducing line breaks or extra spaces from text editors or DNS providers, which can break the key.

January 2023 - Email Geeks
Marketer view

Email marketer from Super User suggests some DNS providers have character limits for TXT records. If the DKIM key exceeds this limit, it can be truncated, leading to errors. Solutions include splitting the key into multiple TXT records (if supported) or using a provider with higher limits.

June 2023 - Super User
Marketer view

Email marketer from Reddit shares that base64 encoding issues can result in invalid RSA keys. They advise checking the encoding process, ensuring no characters are corrupted during encoding/decoding and using a reliable base64 encoder.

August 2023 - Reddit
Marketer view

Email marketer from Email on Acid explains that regular testing is important to identify DKIM issues early. They recommend sending test emails to various email providers and checking the headers to confirm DKIM signing is working correctly.

January 2022 - Email on Acid
Marketer view

Email marketer from dmarcian says a revoked or expired DKIM key will cause validation failures. They suggests ensuring the key is active and hasn't been intentionally revoked.

August 2021 - dmarcian

What the experts say
3Expert opinions

Invalid RSA public key errors in DKIM records can be caused by malformed keys due to bad base64 decoding (often from truncation or corruption during DNS management insertion), incorrect key lengths (keys shorter than 1024 or 2048 bits), or using the wrong selector (leading to validation failures). Troubleshooting involves verifying key length and ensuring the correct selector is used.

Key opinions

  • Malformed Key: Bad base64 decoding can lead to a malformed key, often due to truncation or corruption during DNS insertion, with an odd number of characters in the DNS record.
  • Incorrect Key Length: Using a key length that is not 1024 bits or 2048 bits can cause the key to be rejected.
  • Incorrect Selector: An incorrect DKIM selector can lead to validation failures.

Key considerations

  • Check Base64 Encoding: Ensure the base64 encoding is correct and that the key hasn't been truncated or corrupted during insertion into DNS.
  • Verify Key Length: Confirm that the generated key length is either 1024 bits or 2048 bits.
  • Double-Check Selector: Ensure that the selector in the email headers matches the selector in the DNS record.
Expert view

Expert from Word to the Wise explains that an incorrect key length can be an issue for DKIM. Standard key sizes are 1024 bits or 2048 bits; anything shorter is typically rejected. They suggests checking if the key was generated with the correct length.

November 2023 - Word to the Wise
Expert view

Expert from Email Geeks suggests a bad base64 decode indicates the DKIM key is malformed, possibly truncated or corrupted during DNS management insertion, noting the key in DNS is an odd number of characters long.

October 2023 - Email Geeks
Expert view

Expert from Word to the Wise highlights that using an incorrect selector can cause validation failures. They advise double-checking that the selector used in your email headers matches the selector in your DNS record.

July 2023 - Word to the Wise

What the documentation says
5Technical articles

Invalid RSA public key errors in DKIM records often arise from incorrect DNS record syntax, including typos, extra spaces, or incorrect characters, violating the DKIM standard (RFC 6376). Incompatibility between OpenSSL versions used for key generation and validation, as well as canonicalization issues during signing and verification, can also lead to errors. Strict adherence to DNS syntax rules, consistent canonicalization, and ensuring OpenSSL compatibility are crucial for resolution.

Key findings

  • DNS Syntax Errors: Incorrect DNS record syntax, including extra spaces, typos, or incorrect characters, can lead to DKIM errors.
  • RFC 6376 Violations: Failure to adhere strictly to the DKIM standard (RFC 6376) regarding syntax and formatting of the public key record can cause parsing errors.
  • OpenSSL Incompatibility: Incompatibility between OpenSSL versions used for key generation and validation can result in errors.
  • Canonicalization Issues: Inconsistent canonicalization algorithms during signing and verification processes can trigger false negatives.

Key considerations

  • Review DNS Records: Carefully review DNS records for typos, extra spaces, and other syntax errors, ensuring compliance with the DNS provider's requirements.
  • Adhere to RFC 6376: Strictly adhere to the DKIM standard (RFC 6376) for the public key record's syntax, including correct use of semicolons and tag-value pairs.
  • Ensure OpenSSL Compatibility: Upgrade OpenSSL or regenerate the key with a compatible version if version incompatibility is suspected between key generation and validation software.
  • Consistent Canonicalization: Ensure consistent canonicalization algorithms are used during both the signing and verification processes to prevent false negatives.
Technical article

Documentation from Google explains that strict adherence to DNS syntax rules is essential. For Google Workspace, they provide specific examples and guidelines for DKIM record formatting, which should be followed precisely.

November 2022 - Google
Technical article

Documentation from OpenSSL explains that if the version of OpenSSL used to generate the key is incompatible with the software validating it, errors can occur. Upgrading OpenSSL or regenerating the key with a compatible version is suggested.

February 2025 - OpenSSL
Technical article

Documentation from DKIM.org shares that canonicalisation issues between the signing and verification processes can trigger false negatives. Ensuring consistent canonicalisation algorithms are used is critical.

January 2023 - DKIM.org
Technical article

Documentation from ietf.org explains that the DKIM standard (RFC 6376) requires specific syntax for the public key record. Incorrect formatting, such as missing semicolons or incorrect tag-value pairs, will cause parsing errors. Strict adherence to the RFC is necessary.

June 2023 - ietf.org
Technical article

Documentation from Cloudflare explains that incorrect DNS record syntax, including extra spaces or incorrect characters, can lead to errors. They suggest carefully reviewing the record for typos and ensuring it matches the provider's requirements.

November 2023 - Cloudflare

Related resources
4Resources

DKIM key was provided incorrect - Support - Discourse Meta
DKIM key was provided incorrect - Support - Discourse Meta

Hi there, I’m a business user. http://forum.brightstorm.com I set up our domain and SPF, DKIM. But it is only sending a email to user@brightstorm.com I tried to my personal Gmail account. but I can not receive it. It is also not on spam box. I think discourse hosted server has a problem. Moreover, I couldn’t change mail server. I’d just like to change sending server to mandrill instead of discourse hosted mail server. https://github.com/discourse/discourse/blob/master/docs/INSTALL-email.md H...

Discourse Meta
Error wihle installing dkim-milter - Virtualmin - Virtualmin Community
Error wihle installing dkim-milter - Virtualmin - Virtualmin Community

Hello Erik, I dont know exactly where is the problem now when i try to instal dkim-milter i got this error Loaded plugins: fastestmirror, security Setting up Install Process Loading mirror speeds from cached hostfile * base: mirrors.advancedhosters.com * extras: mirrors.advancedhosters.com * updates: mirrors.advancedhosters.com No package dkim-milter available. Error: Nothing to do i tried to disable all the files in /etc/yum.repos.d CentOS-Base.repo CentOS-Vault.repo webmin.rep...

Virtualmin Community
How To Fix The “DKIM Signature Is Not Valid” Error?
How To Fix The “DKIM Signature Is Not Valid” Error?

The “DKIM signature is not valid” error can occur due to an incorrect entry in the DKIM DNS record.

PowerDMARC
DKIM signature invalid still - Support and Discussion - CyberPanel ...
DKIM signature invalid still - Support and Discussion - CyberPanel ...

I followed the instructions to try to generate a new DKIM signature, and I am receiving an error stating that it does not have permission in the DKIM manager. I went ahead and added the automatically generated DKIM txt file into Cloudflare (my DNS and registrar) and that didn’t seem to work. When I send emails to mail-tester.com, it says my DKIM signature is invalid and gives me a different key. I’m not sure why it will not work as expected. If you need some sort of payment for your help and ser...

CyberPanel Community

Related questions