Route 53 doesn't allow adding DKIM keys because length is too long

Question

Here is how I enter the value for DKIM key:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA nwIDAQAB"

There are no new lines in this value (I specifically copy pasted and tested it in a text editor). But for some reason I keep getting TXT is too long error:

TXTRDATATooLong encountered at "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwztXzIUqic95qSESmnqX U5v4W4ENbciFWyBkymsmmSNOhLlEtzp/mnyhf50ApwCTGLK9U7goo/ijX/wr5roy XhReVrvcqtIo3+63a1Et58C1J2o4xCvp0K2/lM6hla4B9jSph7QzjYdtWlOJqLRs o0nzcut7DSq/xYcVqvrFDNbutCfG//0wcRVUtGEyLX/a/7mAAkW6H8UEYMPglQ9c eEDfTT6pzIlqaK9cHGOsSCg4r0N8YxnHFMRzKaZwmudaXTorSbCs7e681g125/vJ e82VV7DE0uvKW/jquZYtgMn7+0rm+2FDYcDx/7lzoByl91rx37MAJaUx/2JHi1EA nwIDAQAB"

I really don't know what I should do to fix this issue.

I also have encountered this problem with AWS route 53 DKIM ... did you resolve this ? I find that Amazon AWS is poorly maintained ... just try to use their Q/A Forum ... what a joke of ancient obsolete 15 year old web UI — Scott Stensland, Oct 03 '16 at 21:58
@ScottStensland As the accepted answer notes, this isn't AWS's fault, and there's a straightforward solution. — ceejayoz, Oct 22 '16 at 17:32

score 84 · Accepted Answer · edited Apr 18 '18 at 00:18

84

See a similar issue in Route 53 forum:

Unfortunately the 255 character limit per string on TXT records is not a Route53 limit but rather one imposed by the DNS protocol itself. However, each TXT record can have multiple strings, each 255 characters long. You will need to split your DKIM into multiple strings for your TXT record. You can do this via the console by entering each string encapsulated in quotes, one string per line.

Important note: Do not use "one string per line" as the instructions say -- separate strings with a single space, eg. "foo" "bar" not "foo"\n"bar". Use DKIMValidator to validate the signature is being read correctly.

edited Apr 18 '18 at 00:18

Andrew Schulman

8,561
21
31
47

answered Mar 15 '16 at 15:21

Evgeny Goldin

1,049
8
7

16

Also make sure 1 space is between each end/start quotation - not a newline/cr as AWS shows when you add TXT records - these are not separate records.. Example: `"p=sdfgkjhsdfg...." "sdklfjsdf....."` < space between. – B. Shea May 21 '17 at 17:01
6

Newline v/s space was the issue for me. Thanks @bshea – Nehal J Wani Jun 01 '17 at 06:15

score 67 · Answer 2 · answered Sep 23 '17 at 20:32

67

You can chop it up into chunks of quoted text with a max length of 255 per chunk. You don't have to make each chunk exact.

For example, if your value looks something like:

"v=DKIM1; k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza bcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabc"

You can chop it up at arbitrary places:

"v=DKIM1; k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz" "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzab" "cdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabc"

Note those are single spaces, not newlines, between each chunk!

Google's setup instructions, unsurprisingly, are terrible. I just wrote up a complete guide for how to do this on Route53.

answered Sep 23 '17 at 20:32

Andy Ray

780
5
5

3

"Note those are single spaces, not newlines, between each chunk!" This was important for me, reason it wasnt working. Worked immediately after switching, thanks! – Alex Yurkowski Jan 03 '18 at 15:49
1

This should be the accepted answer. – Nikolay Tsenkov Apr 24 '19 at 15:29
Oddly enough, spaces worked for DKIM, however when adding my SPF value to an existing TXT record, I had to separate the quoted strings with line breaks, not spaces, before it would work in AWS Route 53. – adam0101 Jun 13 '19 at 19:14
@andy-ray - Your website was a HUGE help, but just a heads up, a lot of the images don't load because they're pointed at localhost : ) – Robert Christ Dec 01 '21 at 01:28

score 22 · Answer 3 · answered Feb 18 '19 at 14:14

DKIM on AWS Route53

You must split the DMARC record into 255 character parts. If you happen to host your DNS using AWS Route53, insert each part quoted with "..." into the record.

Do not use newlines to split the parts, because that would be separate TXT entries.

v=DKIM1; k=rsa; p=ABC123longkeypart1ABC123longkeypart2

becomes

"v=DKIM1; k=rsa; p=ABC123longkeypart1" "ABC123longkeypart2"

Using Terraform and Route53

When using Terraform to provision your Route53 records, you must split the DKIM-key into 255 max character parts as well.

Since Terraform takes care of quoting the TXT-entry, you must only provide quotes between each part, like so \"\".

v=DKIM1; k=rsa; p=ABC123longkeypart1ABC123longkeypart2

becomes

resource "aws_route53_record" "some_domain_dkim" {
  zone_id = "${aws_route53_zone.some_domain.zone_id}"
  name    = "google._domainkey.some_domain.com."
  type    = "TXT"
  ttl     = "3600"

  records = [
    "v=DKIM1; k=rsa; p=ABC123longkeypart1\"\"ABC123longkeypart2"
  ]
}

See also: https://www.terraform.io/docs/providers/aws/r/route53_record.html#records

If useful, there is a terraform module that handles long DKIM records automatically here: https://github.com/brightbock/dns-dkim-tf — JamesJJ, Mar 18 '21 at 02:44

score 5 · Answer 4 · answered Oct 22 '16 at 17:20

5

You can simply select 1024 instead of 2048 and add this to route 53 at the time of generating the TXT in Google Apps

answered Oct 22 '16 at 17:20

Basil Abbas

203
2
3

7

There is no reason to do this - if you want 2048 follow the selected answer. Connect the dkim record with quotes+single space between. It will work. – B. Shea Jun 01 '17 at 14:31

score 2 · Answer 5 · answered Jul 05 '22 at 04:43

On Amazon lightsail, I had to enclose the separated texts in an additional quotes, such that:

"v=DKIM1;k=rsa; p=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"

Becomes:

""v=DKIM1;k=rsa; p=abcdefghijklmnopqrstuvwxyz" "abcdefghijklmnopqrstuvwxyz""

score 1 · Answer 6 · answered Jan 26 '21 at 13:57

On AWS Route 53, create or edit the TXT record for DKIM and go for the "use wizard" option rather than the quick entry method. The record name should be default._domainkey.yourdomain.com (or apropos) and the record type TXT. You know all that already but the sticky bit is 256 character records.

In the record value box cut n paste "everything inside the parenthesis" output from sudo cat /etc/opendkim/keys/yourdomain.com/default.txt

Delete the quotes and place each quoted string in its own line unquoted and hit the submit button.

Go back and edit it and you will see the quotes have been put in. These quoted strings in quotes are on three separate lines causing multiple records rather than just one so edit the record value and replace the newline character with a space instead (the word wrap will make it appear the same but it is different in character when held in the zone record and for reasons beyond me, it appears as a single record splite into <256 char chunks rather than three separate records.

Thanks to Overbyrd above for pointing that out.

This is for quick n easy AWS entry putting a little more context incase I myself or others need to dig for info on AWS Route 53 DNS TXT DKIM EC2 256 character opendkim issues long record issues.

Route 53 doesn't allow adding DKIM keys because length is too long

6 Answers6

DKIM on AWS Route53

Using Terraform and Route53

Linked