DKIM public key & DKIM from DNS are the same but don't match because of spacing

Question

Please take a look at this picture of mail-tester.com saying that Your DKIM signature is not valid.

As you can see, the DKIM signature and public key are identical in term of text (characters) but the only problem is the spaces between them. I do not know how to fix this, or what is the proper way to edit a DKIM from zone record. Currently, I try to copy the DKIM signature shown in the page and manually paste it over to the DNS TXT record (public key). After refreshing the page, it passes the test, but after making another request, the spaces disappear and the test failed again.

What is the correct way to correct the DKIM public key so it matches the DKIM of the signature?

Thank you.

Answer 1

The DKIM signature and the DKIM public key are not supposed to be identical.

You should have a pair of keys: a private key and a public key. The public key goes to the DNS TXT record. The private key is never published as-is: it is used by the mail server to create digital signatures for outgoing emails: this signature should be unique for each outgoing email.

The math behind the public-key cryptography ensures that only the holder of the private key can create DKIM signatures for the domain, but anyone with access to the private key can verify those signatures.

Verifying a DKIM signature does not mean just comparing the signature in an email to a DNS record to see if they match; instead, the verifier must use the public key from the DNS record to decrypt the b= part of the signature: if the decryption result matches a hash calculated in a specific way from the message body & headers, then the signature is genuine.