By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DKIM DNS records points to expired and 1024 bit keys when we selected 2048 bit key

0

We are using Amazon SES to send e-mails. We have enabled DKIM for a domain with 2048 bits key (previously we had it enabled with 1024 bits key). The service indicates to create 3 DNS records: one of them points to a 2048 bits key, another to a 1024 bits key and the last one to a expired key. The internal policies report a security issue because the DNS records do not point to 2048 bits keys. If we remove the non-2048 bits key records, then SES stops sending e-mails and complains. Any suggestions on just having DNS records with 2048 bits keys please? Is it compulsory to have the 1024 bits and the expired one please?

Topics
Front-End Web & MobileBusiness ApplicationsNetworking & Content Delivery
Tags
Amazon Simple Email ServiceDomain Name System (DNS)
Language
English
Miquel
asked 10 months ago483 views
2 Answers
1
Accepted Answer

Hi Miquel,

I've had the same questions as you and you need indeed to keep all three records. This is how EasyDKIM works. 2 selectors are used for keys rotation (old one and new one). You cannot force the rotation. This is handled by AWS and occurs once a year, though A makes no commitment on this (not documented). The third key is used as backup when upgrading key length. It will be used in case of rollback. It will stay forever. You cannot delete it.

AWS always uses one selector at a given time. You can verify what selector is used by sending an email from your domain.

AWS documentation could be improved on how EasyDkim works. It would be nice also to see in the admin console which key is active.

Regards, V.P.

vp
answered 9 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
1

Hi Miquel,

Assuming you have generated this using Easy DKIM in SES. I do not believe any newly generated records for the 2048 bits key should not point to the 1048-bit key or an expired key. It may be an issue where DNS propagation takes some time resulting in some records still pointing to old/expired keys. (According to AWS it may take up to 72 hours for DNS propagation)

Please verify the CNAME records for the newly generated 2048 bits key is accurate in your hosting provider or else regenerate the keys and try adding them to your DNS provider.

profile picture
Bisina
answered 10 months ago
  • Miquel
    10 months ago

    Yes, it is using the Easy DKIM in SES. How do I regenerate the keys please? Thanks a lot for your answer

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content