Route 53 doesn't allow adding DKIM keys because length is too long

46,559

Solution 1

Unfortunately the 255 character limit per string on TXT records is not a Route53 limit but rather one imposed by the DNS protocol itself. However, each TXT record can have multiple strings, each 255 characters long. You will need to split your DKIM into multiple strings for your TXT record. You can do this via the console by entering each string encapsulated in quotes, one string per line.

Important note: Do not use "one string per line" as the instructions say -- separate strings with a single space, eg. "foo" "bar" not "foo"\n"bar". Use DKIMValidator to validate the signature is being read correctly.

Solution 2

You can chop it up into chunks of quoted text with a max length of 255 per chunk. You don't have to make each chunk exact.

For example, if your value looks something like:

"v=DKIM1; k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza bcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabc"

You can chop it up at arbitrary places:

"v=DKIM1; k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz" "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzab" "cdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabc"

Note those are single spaces, not newlines, between each chunk!

Google's setup instructions, unsurprisingly, are terrible. I just wrote up a complete guide for how to do this on Route53.

Solution 3

DKIM on AWS Route53

You must split the DMARC record into 255 character parts. If you happen to host your DNS using AWS Route53, insert each part quoted with "..." into the record.

Do not use newlines to split the parts, because that would be separate TXT entries.

v=DKIM1; k=rsa; p=ABC123longkeypart1ABC123longkeypart2

becomes

"v=DKIM1; k=rsa; p=ABC123longkeypart1" "ABC123longkeypart2"

Using Terraform and Route53

When using Terraform to provision your Route53 records, you must split the DKIM-key into 255 max character parts as well.

Since Terraform takes care of quoting the TXT-entry, you must only provide quotes between each part, like so \"\".

v=DKIM1; k=rsa; p=ABC123longkeypart1ABC123longkeypart2

becomes

resource "aws_route53_record" "some_domain_dkim" {
  zone_id = "${aws_route53_zone.some_domain.zone_id}"
  name    = "google._domainkey.some_domain.com."
  type    = "TXT"
  ttl     = "3600"

  records = [
    "v=DKIM1; k=rsa; p=ABC123longkeypart1\"\"ABC123longkeypart2"
  ]
}

Solution 4

You can simply select 1024 instead of 2048 and add this to route 53 at the time of generating the TXT in Google Apps

Solution 5

On AWS Route 53, create or edit the TXT record for DKIM and go for the "use wizard" option rather than the quick entry method. The record name should be default._domainkey.yourdomain.com (or apropos) and the record type TXT. You know all that already but the sticky bit is 256 character records.

In the record value box cut n paste "everything inside the parenthesis" output from sudo cat /etc/opendkim/keys/yourdomain.com/default.txt

Delete the quotes and place each quoted string in its own line unquoted and hit the submit button.

Go back and edit it and you will see the quotes have been put in. These quoted strings in quotes are on three separate lines causing multiple records rather than just one so edit the record value and replace the newline character with a space instead (the word wrap will make it appear the same but it is different in character when held in the zone record and for reasons beyond me, it appears as a single record splite into <256 char chunks rather than three separate records.

Thanks to Overbyrd above for pointing that out.

This is for quick n easy AWS entry putting a little more context incase I myself or others need to dig for info on AWS Route 53 DNS TXT DKIM EC2 256 character opendkim issues long record issues.

View more solutions

46,559

Gasim

Updated on September 18, 2022

Comments

Gasim almost 2 years
Here is how I enter the value for DKIM key:
```
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA nwIDAQAB"
```
There are no new lines in this value (I specifically copy pasted and tested it in a text editor). But for some reason I keep getting TXT is too long error:

TXTRDATATooLong encountered at "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA nwIDAQAB"

I really don't know what I should do to fix this issue.
- Drifter104 over 8 years
  
  Try removing the space after each ;
- Raphaël Ponthieu almost 8 years
  
  I also have encountered this problem with AWS route 53 DKIM ... did you resolve this ? I find that Amazon AWS is poorly maintained ... just try to use their Q/A Forum ... what a joke of ancient obsolete 15 year old web UI
- ceejayoz over 7 years
  
  @ScottStensland As the accepted answer notes, this isn't AWS's fault, and there's a straightforward solution.
B. Shea about 7 years

Also make sure 1 space is between each end/start quotation - not a newline/cr as AWS shows when you add TXT records - these are not separate records.. Example: "p=sdfgkjhsdfg...." "sdklfjsdf....." < space between.
Nehal J Wani about 7 years

Newline v/s space was the issue for me. Thanks @bshea
B. Shea about 7 years

There is no reason to do this - if you want 2048 follow the selected answer. Connect the dkim record with quotes+single space between. It will work.
Alex Yurkowski over 6 years

"Note those are single spaces, not newlines, between each chunk!" This was important for me, reason it wasnt working. Worked immediately after switching, thanks!
Nikolay Tsenkov about 5 years

This should be the accepted answer.
adam0101 about 5 years

Oddly enough, spaces worked for DKIM, however when adding my SPF value to an existing TXT record, I had to separate the quoted strings with line breaks, not spaces, before it would work in AWS Route 53.
JamesJJ over 3 years

If useful, there is a terraform module that handles long DKIM records automatically here: github.com/brightbock/dns-dkim-tf
Robert Christ over 2 years

@andy-ray - Your website was a HUGE help, but just a heads up, a lot of the images don't load because they're pointed at localhost : )