We've recently been having some email delivery issues, so I find myself taking my first dive into the email server set-up world to make sure our emails are arriving as expected.
I ran mail-tester a few days back and it told me to add this DMARC entry:
v=DMARC1; p=none
I did so and now I'm getting this verification failure:
Your message failed the DMARC verification
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.
The DMARC test failed but we didn't find any obvious reason why. If you recently modified your DNS, please wait a few hours and then test again.
DMARC DNS entry found for the domain _dmarc.example.com:
"v=DMARC1; p=none"
Verification details:
mail-tester.com; dkim=policy reason="signing key too small" (768-bit key; unprotected) header.d=example.com header.i=@example.com header.b=________; dkim-atps=neutral
mail-tester.com; dmarc=none header.from=example.com
mail-tester.com; dkim=policy reason="signing key too small" (768-bit key; unprotected) header.d=example.com header.i=@example.com header.b=________; dkim-atps=neutral
From Domain: example.com
DKIM Domain: example.com
Per this article, the header.b=
tag "contains the first 8 bytes of the signature data", so I blanked out that data with ________
. Not sure if that's necessary or not, but figured I'd err on the side of caution.
From the above, the only issue to fix that I can see is the signing key too small
problem. I found two other DMARC failure questions without "any obvious reason why" like my own (see here and here), but neither of them included the signing key too small
issue, so they don't appear to be on point.
Per this question, it seems the way to solve that is to use a 1024- or 2048-bit key, but I'm using Hostmonster and can't seem to find any way to do so. This question seems to cover a similar issue in an Exchange environment, but I'm not in an Exchange environment and not sure how to adapt that to my situation.
So how do you update to a 1024- or 2048-bit signing key? If this is done using TXT records in the DNS manager, how do you generate the keys?
Additionally, if there's some other obvious issue I'm missing here, please let me know; as noted above, I'm new at this.