For long time I'm using Let's encrypt for all my encrypted services (HTTPS, IMAPS, SMTPS, FTPS). Now I want to add DKIM signature for my mail server. But is this possible using Let's Encrypt? I have to add the public key in the DKIM DNS entry. But the Let's Encrypt certificate is newly created every 30 days.
How can I use my Let's Encrypt certificate for DKIM?
(I know how to set up DKIM in the mail server. My question focus is on the DNS entry for DKIM)
The answer to this question is: you’re not supposed to.
According to the RFC:
Signature applications require some level of assurance that the verification public key is associated with the claimed Signer. Many applications achieve this by using public-key certificates issued by a trusted third party. However, DKIM can achieve a sufficient level of security, with significantly enhanced scalability, by simply having the Verifier query the purported Signer's DNS entry (or some security-equivalent) in order to retrieve the public key.
You can just sign your own keys using DKIM, because it is verified by DNS. You can ensure that the DKIM is properly checked by implementing DMARC and DNSSEC.
