DKIM field only 512 chars; need the instructions for using tokens to fill the field

I’ve attempted to fill the TXT field in my DNS for the DKIM key. I’m getting a message that the field can only be 512 characters. These days you need a 2048 key. (1024 uses to be good enough) Anyway, there is a procedure to use tokens to fill in DNS fields in order to get around the problem. I was given this once by tech support and neglected to save it. I found a link for web page for the procedure, but apparently Sammy the Whale ate the page.

So I need the procedure to file a TXT field in DNS using a token. My recollection is you used curl from your server to do this, or maybe your PC.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hello there,

First, make sure that you can use a 2048 key without the need of splitting it in half in order to take effect. Usually, your DNS provider can help you if you reach out to their support.

Once created you can use a DKIM checker tool like the one provided from mxtoolbox and check whether the generated key is valid.

Hope that this helps! Regards, Alex

Note this only works for 2048 bits and obviously smaller. Are you trying to do 4096 bits? Otherwise everything looks OK.

At the moment, 2048 is considered adequate. That said, Digital Ocean needs to come up with a better scheme to enter the DKIM field. You can’t cut and paste using any browser I have. This API is the only thing that works, and even then you can’t do 4096 bits.


I have tried to run the following:

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer MY_API_KEY" -d '{"type":"TXT","name":"default._domainkey","data":"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFxxxxAQ8AMIIBCgKCAQEA878VxxxxtiPjkstRU+yUjwo1yMfn/wkEUt/sHOpYdhDGxrLULnGDyHdx/xxxfF7qikvCbcwkc3Ok5xxxx+9MIFmNDSQr3W6wzdrp9u8vqxxxDVmNRcdPiZkGTO4V6uuUDPICfkUcjWBOs+gyKAe6kn/ZsLVSVDLA+xxxSZoLLHEe7bBs2zn1S1i+texxxQs+tsISt442RxxxgAQ8glVKM0ETlw4z5SO9qYChmavLx2FZvPdG/T2KwzVQzQ6kd9XdaAjsOYrdmPLGciyG6+Uh6B0or0z5snTWq+FQTzetJUKs3faG51IL6RbbGvoiU0oI5KfGu/+SDMgOV6Pnlv17QIDAQAB\;","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' ""

This returned the error:

{"id":"bad_request","message":"Your request body was malformed."}

I have replaced some characters in the DKIM record with x’s (and my api key with MY_API_KEY)

If someone could assist me, I would really appreciate that!

I have deleted the original record, in case that was causing an error somehow.


Does not work :-(

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer MY_TOKEN_HERE" -d '{"type":"TXT","name":"abcd-efgh-2211775533-4455._domainkey","data":"v=DKIM1; r=postmaster; g=*; k=rsa; p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","priority":null,"port":null,"ttl":3600,"weight":null,"flags":null,"tag":null}' ""

Response is:

{"id":"unprocessable_entity","message":"Data is too long (maximum is 512 characters)"}

(as in DNS Manager in web browser).

I’m trying to move from ISC BIND (which is working fine with the same public keys length).

I spent a while hacking on this and figured out the tricks. Hopefully this will save the next person an hour or two of head banging.

First, get a token from Digital Ocean. Go to your control panel. Click on API. Turns out my old token was still there. Anyway, generate a new token. You need to save this on your local PC, not your droplet. (Technically save it where you will be running curl, which probably is your local PC.) You can always go back to the control panel and regenerate the token by clicking on edit and following instructions.

The instructions to edit a DNS are found here: DNS API instructions

Note there is a curl example at the right side of the page. However it is not for entering the dkim parameter. What I did is read the instructions and changed the example for entering the dkim parameter. But there is a catch. The p parameter of the dkim public will run over several lines. If you used opendkim-genkey, there will be continuations and such. In theory you could use them as is, but I couldn’t get the api to work. What I suggest is using an editor (vi nano etc) to create a file containing the curl command and run it using sh. I called mine feed_dkim. Here is a sanitized version of the file. (fake key, domain, etc.) What you want to make sure is your quoted fields look like mine, that is no nested quotes. The output of opendkim-genkey will add quotes that you don’t need.

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer tokengoeshere" -d '{"type":"TXT","name":"default._domainkey","data":"v=DKIM1; k=rsa; s=email; p=nPnay721k2ApKmCXeg9DZgcZE4yr5Vw8P2nd3NeLSHYEuflTN0osXODUmFLqSxHnPnay721k2ApKmCXeg9DZgcZE4yr5Vw8P2nd3NeLSHYEuflTN0osXODUmFLqSxHnPnay721k2ApKmCXeg9DZgcZE4yr5Vw8P2nd3NeLSHYEuflTN0osXODUmFLqSxH","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' "" 

Things to change:

  1. Replace tokengoeshere with your token 2)The field after “name” is your key selector. I’m using tables, so I left it as default. (This depends on your opendkim setup.)
  2. The field after “data” is your key. The p field is the long one. If you see slashes in your generated key, those are continuations. You need to delete them, basically getting the p field to be one long string
  3. Change to whatever your domain is.

I used vi to create the feed_dkim file. You should verify the file is one long line. Use the up/down arrow keys. If you have multiple lines, control J will join them.

On your PC: sh feed_dkim

and hope for the best. There will be an error message if it bombs. You can go to your control panel and look at the results.

Since this is a DNS field, you will have to wait for DNS propagation. Once the field propagates, use this website to test your dkim. dkim validator