Some issues for improvement in DomainKeys management


I would like to report some issues with Domain Keys, the fixing of which would make it easier to use them…

  1. DomainKey output should be reformatted to the format used in DNS

The key output is split over several lines and includes quotations… but in DNS you would not enter this, you would most likely have a textfield (one line) and need to enter it all on one line, so we have to remove the quotations and line breaks.

For example, this is what is output:

email._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9DCqyaGheCKe" "3vEOeWnzWzwBE1L0L2YQB+cXazl2h/vOv2UZ9tuC8tHdmWbULfDWcv3glvXWNs2mkjh429e7JSu6hMUh" "TJJnqjpDLiJ5bJO0IPoPt3ZkHy45EJChSxwJ5vTGg63DQqzod2A0AXGq2JPVmAjizcDl08xEFFVpZLjU" "09mhdEjJYNc+MgcmsYY8DrtdrcmASgcF2TD8X5c+YD1yxqBOzCbafPLUwVKLVzcP4lMQUBsUWaLpbx1c" "6+ySFN5K91mFN4t1qupOJsx/WQVPWE1EOzCbafrYpZOzCbafPLUwVKLVzcP4Lcn5Vid3R2f+QOsMdZCG" "cTFeuxYJwIDAQAB" )

But this is the DNS TXT field for the DNS entry email._domainkey:

v=DKIM1;k=rsa; t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxaunxzjFBtKWi2T4tEww6bq3RHea5w0iXwJR8z6flSgXrRCPBmYCHQ9p0yXw7O+YTpe51jh8LhJAZq3Fc+WfubGrzI3ZBD8PyXi1R+KK8+P4gPRr9zp+0HJ8jn14X8kvh3LJ/P3f3Ou6BvLJrAf9YeppkcSVRSDx/SVNrcciHDo/fLN2LgLolhnEd+P6CKE+ctrhbbBo4q3KUJ2Tf0hWgxrtJwScyA3sFXVMIUveTrzpg3CUJM7V0mAGB9GyKmLYmeBDSQ2qkHHJcsB/76DgG7ZkXn0kCqM5j+Tn2P/JGFthzauzjIHGhDBAIe07r2VHyenUC6tfqOuQJl4AzGiqHQIDAQAB

So it would be great it Virtualmin could output the correct format so we can just copy and paste with no manual re-formatting.

  1. Domain Based DomainKeys still need management in “DomainKeys Identified Mail”

If I go to Server Configuration -> DomainKey Options, and choose “Generate New Key” so as not to use the global one, then click Save, it says “Using custom DKIM key … done” - BUT when I go back into “DomainKey Options” it reverts back to Use global default key and does not show me the custom key.

In order to get the custom key I still have to add the domain to the global DomainKey in “Email Messages -> DomainKeys Identified Mail”. Once I have done that, using Server Configuration -> DomainKey Options to generate a new key does save it OK.

It would be good if we did not have to add the domain to the global key to use a custom one, but if we do have to do that, then it would be good if when generating a new custom key in “DomainKey Options” it would automatically configure the global aspect for us, so we dont have to manage it in two places.


  1. BIND will actually combine multiple quoted strings into one in a TXT record, so there is no different between the two formats. And actually in many cases it is mandatory to split the record as BIND cannot read text lines longer than 256 characters (I think).

  2. That sounds like a bug - which Linux distribution and version are you running there?


  1. I’m not using BIND, I prefer to keep DNS off the web server so just add the record to my DNS providers, all of which have a textfield

  2. Centos 6.5


So if you aren’t using BIND, how do the DKIM records get to your DNS server? Do you just copy and paste them across?

Yes, we manually manage DNS. Not all DNS points to the same web server, so we’d have to manually update records whatever we use. Depending on our domains we would use either LCN (the domain registration company) for DNS, or Linode’s or Rackspace’s free DNS Manager, or customers own registration companies (123Reg, Namecheap, GoDaddy, Fasthosts, 1and1 etc.). They all have textfields for DNS entries. We used to use PointHQ but they were always going down due to dos attacks.

I have been a web developer for many years and have decided using the web server as its own nameservers is not very good. I cant think of any advantage, only disadvantage. Here’s some (off-topic, sorry) details of why we think third party DNS is preferred over BIND on the web server…

  1. Many domains have different A records for different servers (email, web, others), so if the web server goes down for some reason, everything goes down.

  2. It is VERY common for DNS servers to go down, even briefly like 5 minutes. I have website monitoring tools that often alert me to customers sites going down due to the nameservers not responding for whatever reason (thankfully not the DNS providers we use, mostly budget hosting companies like 123Reg and the others I list above). So the more DNS servers the merrier, Linode have 5.

  3. I consider Rackspace and Linode, and even SOME domain company nameservers more reliable that our web server (which is of course still reliable)

  4. These companies would also have multiple DNS servers, whereas we only have 1 web server

  5. Even a web server restart would mean their email goes down even though its on another server, as the MX DNS records are not available

  6. Using the web server as a nameserver ties the domain to the web server… moving websites to new servers which we do often is easier just updating a couple of A records than changing entire nameservers

  7. We’ve had a company name change (and so a domain name change) a couple of times, it means we have to keep renewing our old domains as customers use them for custom nameservers, and its a real pain. I want to be shot of custom nameservers.

  8. We want our web servers to only use resources for web, and to have good performing web servers. So we moved Mail off to a new server for example (spam and virus scanning was eating too much ram and cpu and slowing websites down) and similarly turning off BIND would free up some resources

Probably more reasons why not using the web server as a nameserver is better.

Hope that explains why we dont use BIND and prefer to use dedicated nameservers and third party DNS Managers.

Most of those issues can be addressed by running a secondary DNS server though, or even a hidden primary NS so that the Virtualmin system gets no DNS lookup load.

That said, Virtualmin will work just fine in the case where DNS serving is hosted separately. However, the format of the TXT record is the way it is currently (split across multiple lines) for a good reason, which is a limitation of BIND :frowning:

Ok then, thanks.

For what we do, which is host customers websites (manually setup by ourselves) there’s not much point getting involved in hosting our own multiple DNS servers when registration companies or Linode/Rackspace offer it. All that extra work and server management for no additional benefit for us I don’t think.

Be interested to know if the second point is a big or meant to be like that though.


The TXT records are meant to be split like that, as they are needed for BIND to read the zone file properly. So I don’t consider it a bug …

Not the split record. Point 2 about having to add the domain to the global key in order to get the custom one to work.

So in this case, did the domain you were adding the custom DKIM key for have DNS and email enabled in Virtualmin?

Email yes, but we do not use BIND so DNS not enabled. Custom and global DKIM still works, just have this issue creating them.