Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

DKIM Record Not Concatenating Correctly in Route 53 for google._domainkey.stych.tv

0

Problem: The DKIM record for google._domainkey.stych.tv is configured as a TXT record in Route 53 and split into three segments as follows:

"v=DKIM1; k=rsa; p=MIIBIjANB..." "tV46o74H9qb4MkgIlNvqtxZs..." "2872LrI3AHmlvbgLOmA4qGz..."

However, during DNS queries using tools like Google Admin Toolbox, MXToolbox, and AWS CLI, the order of the segments is being incorrectly served as:

    "2872LrI3AHmlvbg..."

    "v=DKIM1; k=rsa; p=..."

    "tV46o74H9qb4Mkg..."

Steps Taken:

Verified the DKIM record entry order in Route 53. It is configured in the correct order as shown above. Waited for DNS propagation (TTL is set to 300 seconds).

Flushed DNS caches and re-tested the query using:

host -t TXT google._domainkey.stych.tv Google Admin Toolbox MXToolbox

The DNS responses still return the segments in the incorrect order, causing DKIM validation to fail.

Expected Behavior:

Route 53 should concatenate the segments in the correct order as configured, ensuring the v=DKIM1; k=rsa; p= segment is the first line, followed by the remaining key segments in order.

Request:

Could you please verify the TXT record processing for google._domainkey.stych.tv in Route 53? Is there a specific configuration step required to enforce the correct order for concatenation in Route 53? Are there any known issues with TXT record handling that might cause the segments to be served in the incorrect order?

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
asked a year ago300 views
3 Answers
0

The issue you're experiencing with the DKIM record for google._domainkey.stych.tv in Route 53 is not actually a problem with Route 53's configuration or handling of TXT records. The behavior you're observing is expected and doesn't impact the functionality of DKIM.

When a TXT record exceeds 255 characters, it needs to be split into multiple strings. DNS servers and clients are designed to handle these split TXT records correctly. The order in which these segments are returned in DNS queries is not guaranteed and can vary. This is normal behavior for DNS and is not specific to Route 53.

The important thing to understand is that when these TXT record segments are processed by email servers for DKIM verification, they are concatenated correctly regardless of the order in which they are received. The email servers are designed to handle multi-string TXT records and will reassemble them properly.

To address your specific questions:

  1. There's no need to verify the TXT record processing in Route 53 as it's functioning as expected.

  2. No specific configuration is required to enforce the order of concatenation in Route 53. The order of segments in DNS responses is not critical for DKIM functionality.

  3. This is not a known issue, but rather the standard behavior for split TXT records in DNS.

If you're experiencing DKIM validation failures, it's likely due to reasons other than the order of TXT record segments. You should verify that the entire DKIM key is correct and that there are no issues with your email configuration.

To ensure everything is set up correctly, you can use the AWS CLI to verify the DKIM settings for your domain in Amazon SES (if you're using SES for email). The 'verify-domain-dkim' command can be used to generate DKIM tokens, and 'set-identity-dkim-enabled' can be used to enable or disable DKIM signing for your domain.

Remember, even though the segments may appear in a different order in DNS queries, this should not cause DKIM validation to fail if the record is otherwise correctly configured.
Sources
How to set a DKIM record for a domain hosted within Route 53 when the mail server is not in AWS | AWS re:Post
verify-domain-dkim — AWS CLI 2.27.17 Command Reference
set-identity-dkim-enabled — AWS CLI 2.27.17 Command Reference

answered a year ago
0

Thank you. That is very helpful.

answered a year ago
0

I am experiencing an issue with DKIM authentication for the domain stych.tv. Details:

DKIM Record in Route 53:

    I have correctly configured the DKIM record in AWS Route 53 as per the instructions from Google Admin. The DKIM record is split into three segments due to the 255-character limit per TXT segment in AWS:

    First Segment:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9..."

Second Segment:

"EiYQbgL8RIXri1tFhXWOO4r6eMoYU..."

Third Segment:

"P4nYzqekcpLal+60bcFe5Ci..."

Verification and Comparison:

The concatenated record in Route 53 matches exactly with the DKIM key provided by Google Admin:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA15YivSIjdkcEhdRBpAG49dz/FYGopelvLCdWcGt1RUfiUeFmhqP08uc7Til/...

Issues and Errors:

Google Admin DKIM Authentication:

    Despite the record being accurately configured and confirmed via the AWS CLI and external DKIM validators, Google Admin still reports "Not Authenticating" for the DKIM setup.

MXToolbox Errors:

    Running a DKIM check using MXToolbox DKIM Lookup results in the following errors:

        Syntax Error: The tool reports a syntax error for the p= key, suggesting that the segments may not be concatenating as expected.

        Required Tag Not Found: The p= tag is flagged as missing, even though it is present in the record.

    This suggests that the TXT record is either:

        Not being concatenated correctly by the DNS resolver, or

        Not being interpreted correctly by MXToolbox and Google Admin.

Request:

Could you please verify if AWS Route 53 is handling the concatenation correctly for Google DKIM validation?

Is there a known issue with multi-segment TXT records in Route 53 affecting DKIM authentication specifically for Google Admin or MXToolbox?

Should the record be consolidated into two segments instead of three to ensure proper concatenation?

Thank you for your assistance in resolving this issue.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content