Tuesday Tip: Namecheap supports 2048-bit DKIM keys


Finally! It's time for another Spam Resource Tuesday Tip. The goal? To share short and actionable deliverability tips and tricks. More often simple hacks than deep deliverability dives.

This time around, I share with you an email authentication configuration hack that I recently discovered: For domain registrar Namecheap, configuring a 2048-bit DKIM key in DNS is easy-peasy, even if you're using an email service that doesn't offer an automagical DNS management function for you (think Entri). 

As this Mailgun help page points out, configuring your DNS TXT record in Namecheap when setting up a 2048-bit DKIM key involves nothing more than pasting the whole TXT record into the right place in their DNS management user interface. Usually, it's not that simple. You see, the public DNS key for 2048-bit DKIM is usually too long to fit in a single TXT record. Namecheap's system figures out automatically that if the TXT record is too long, and needs to be split into two chunks, then they'll just silently take care of that for you on the back end.

Normally I'm not a fan of things that transform DNS silently and behind the scenes, but I actually love and respect the design and implementation choice here. Kudos to the product manager or developer at Namecheap who came up with the idea and implementation of this. I wish more DNS control panels handled higher security DKIM key DNS similarly. It's not hard to split DKIM key records up, but it's not easy for the novice, either.

More on DNS record management and DKIM configuration from Namecheap. Though I find no mention of this clever hack in their documentation, Namecheap is the registrar for some of my domains. I've tested this myself and confirmed that it does indeed work.

1 Comments

Comments

  1. It's not strictly true that you can't store a 2048-bit key in a single TXT record. DNS packets have a 16-bit length for Resource Records, so in theory can be up to 65,535 bytes (in reality, the whole packet is limited to the same maximum length).

    Regardless of what happens in the back end, if you query a longer record, the client still receives a single answer (RR), but each 255 byte chunk is prefixed with a 8-bit length, with the data sent in the correct order. It's very similar to HTTP/1.1 chunked encoding.

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.