Search code examples
emailencryptionopensslnodemailerdkim

Can I create DKIM key using Openssl

I created private and public key using OpenSSL via the following commands

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

The Question is:

  • Is creating DKIM key (private and public) using Openssl is safe, Is Openssl the preferred tool to do that.
  • Can I add the public.key to the domain’s DNS records (TXT).
  • Can I used private.key to setup DKIM Signing using Nodemailer.

please provide references in your answer

If the answer to above question is no which other tool should I use to do that? please provide the tool's commands that will generate the DKIM key (private and public)

Solution

  • Yes, you can, if your SMTP service allows you to provide an explicit key.

    Some mail services require that they generate the key pairs and you only get the public key, they keep the private key stashed to use when signing e-mail. If your service allows you to provide them with the private key, then you are golden.

    In fact, Amazon (AWS) requires you to do it this way if you are not using their "easy DKIM" methodology, so I've had to do this myself. Once you have generated those two files, you'll need to securely send the private key to your SMTP service, whatever that entails. Then you'll need to create the TXT record, containing the public portion of the key, for your DNS. It will look something like this:

    "v=DKIM1; k=rsa; t=y; "
"n=AmazonSES DKIM public key valid 2020/6-2020/12; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRx3I1vkqUygvM4oxOz"
"JUJfdV/QCvpqnOvtL2CuWuSgKcHH7CmVsb9MXGokHDXYRLgMyR8P2GD6peE"
"CdBwBd2vb643rX6saCb7uirI/NcllRsahtfa2Ier6sF8wBhbkWJRmfVhlvT"
"08BYW06MWS5uAkgdg7pFmpwbpTBkeMQMSLwIDAQAB"

    The name of the TXT record in your DNS will either be decided by your SMTP service or it will allow you to specify it (called the selector). This is a field that will be placed into the signature header to match that particular e-mail header to the proper TXT record name. The name should have something indicating the version of the key, or the date on which it was generated, since that name will change when you refresh your key. An example would be "June2020.AmazonSES" for the key above. In this case the TXT record name should be:

    June2020.AmazonSES._domainkey.example.com

    You should never give the private key to multiple SMTP services. Generate a unique key for each, so there will be at least one TXT record per service. This allows you to update just the one if it was hacked without compromising any of the other services you use.

    Also, use DMARC to get mail processors who get mail from you to send you error messages (to a mailbox you define in the _dmarc TXT record), so that you can decide when things are working well enough to take it out of test mode.