DKIM / DMARC not working.

Greetings. I am very new to everything about domains and such things, so I will try to explain my problem as best as I can: I followed this guide in order to make mails outgoing from my VPS less of a threat to the outside world, but the DKIM/DMARC configuration didn’t seem to work. I have a TXT name: and the text value: v=DKIM1; k=rsa; p=keystring However, in the DO Control Panel, in the “Zone file” area, I’m shown this: 1800 IN TXT v=DKIM1; k=rsa; p=keystring I’m not sure it should be using the domain name twice, so I changed the TXT name to simply: mail._domainkey And that fixed the “Zone file” repetition. However, this website hasn’t been able to validate the DKIM key in any of the two aforementioned ways, and always gives me the following error:

DNS query failed for '':NXDOMAIN
A public-key (p=) is required```
What am I doing wrong, and how can I fix it?
As a side note, " is just an alias I used to keep my actual domani hidden. Additionally, I don't have any ports open other than a custom port for OpenVPN and another custom port for nginx, in case it needs an open port.
If you need more info, I will gladly provide it.

This is an old post, but it does show up in google, so here goes. First of all, you discovered that the Digital Ocean will append “” to the txt name. As you noted, looking at the zone info will show this.

I’m assuming you generated your key with opendkim-genkey. There are guides online how to do that. I used the guide in the link above. It works mostly, but upper case is a problem in the txt name.

opendkim-genkey will make the key for you, but getting it into DNS is not as obvious as you think. Using the Digital Ocean DNS webpage was a problem for me because cutting and pasting into the field in the browser didn’t work. The p field is long and it causes the browser to choke. Extra lines feeds will be inserted and occasionally a character is lost. This is not a clipboard problem as far as I can tell.

Digital Ocean has an API that uses tokens. It looks awesome and deadly, so use the API with caution. The goal here is to use the token scheme to feed the dkim record directly to the DNS without using a browser.

First, get the token: Save the token on your PC, not on the Digital Ocean server. It is a crypto key and if it gets loose, life will be ugly, at least on your server.

At this point, I’m assuming you are running linux or (gasp) bsd on your PC. Maybe this will work on OSX, but I never touch freedom hating Apple gear. Since the token is kind of long, I made it an environment variable on my desktop. It can be temporary, and that is probably a good idea.

export TOKEN=4rpAcCDTLVNmrYBzuBix1tu0y5Ky9khK7dLq

Be sure obviously to use the value of your token, not my example. (My example may not even be the right length. I just pulled it from a password generator.)

I put the curl command below in a file to be run as a shell script. I used a few continuations, as indicated by the backslash at the end of some lines. However the d field needs to be one continues line. This is no problem in vi. If you cut and past the key, you may have to use the “J” operation in vi to join lines together. Use the down arrow when in vi to insure the d field is one line. Note the use of the backslash to insert the quote character. Also note that $TOKEN is used to indicate the value of the environment variable.

curl -X POST “
-H ‘Content-Type: application/json’
-H “Authorization: Bearer $TOKEN”
-d '{“type”:“TXT”,“name”:“selector._domainkey”,“data”:"“v=DKIM1; k=rsa; p=FYEih79vgwDlFPYYparGQUKsc2pTSJqDzTH0dnCMdcWDqHdQWtlLwnKlI2XbxQ9"”}

Your p field will be longer than this. (Again, I just used a random generator). If the name of the file with the curl command is called foo, you simply

sh foo

You should get feedback regarding the record that was uploaded, but just log into the Digital Ocean DNS page to inspect the data. You can use “dig” as well to inspect the data. It will take some time for the DNS change to propagate.

By some miracle and lots of banging my head on the desk, I have managed to get opendkim working on virtual domains. The opendkim manual has the instructions. Look for the word “refile” in the manual if you want a simple way to store the keys.

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

What is the actual domain, actual email headers and actual DKIM record?