Questions around DKIM1

Hi friends,
I’m a little bit confused around the DKIM implementation, and reading this page seem that is possible to obtain the DKMS key using Letsencrypt.

Could you tell me if this is possible and eventually how implement the DNS DKIM using letsencrypt?

many thanks


LE doesn’t generate keys. I have no idea what they are talking about. You don’t need and shouldn’t use a public CA for that. The mail server operator holds all the keys and signs all mails.

I’ve sent an e-mail to that blog suggesting that the information presented there is incorrect and should be updated to suggest a different way of generating DKIM keys.

Someone from the blog has replied saying that it was an editorial error and will be updated.

If you review the cryptography (keys and signing) section of the RFC

The cryptography aspects that are in play are RSA 1024+bit Keys and SHA-1 and SHA-256 hashing.

You do not need a public CA to perform any of these functions. In fact a public CA will never generate private keys for you (as it means they will be able to intercept or decrypt all your traffic). You can generate your own RSA key and most crypto libraries like OpenSSL will do the signing for you.

Depending on your mail server it may generate keys for you automatically.

There is also a great list of the functionality provided by various servers and clients:

So you may just need to configure the right bit of the mail server. Mdaemon for example does most of the heavy lifting for you.

Review the wikipedia page as it’s quite good:


Thanks to all friends, and thanks to Andrei for your very useful suggestion :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.