DKIM TXT DNS Recort Problem

I just try to create a DKIM record in my masters DNS and I just don’t understand what’s going wrong:

univention-directory-manager dns/txt_record create --superordinate “,cn=dns,dc=example,dc=com” --set zonettl=3 --set name=“201902._domainkey” --set txt=“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwmsSi6YbyPESxG20F8zA7NeTx40/PaaH6N6N6lI+5IageFUkxFskLBlGeKsbKrb1UN1o1l85kdTnWC1pn3SB+dnaMbhlTqpsY1mZGoxotJxGSnpYmMwfJ3DpJocAxoG55Wu+58rOdbUFkoAUG2RLrzaPp0xzvkTIWPrXHOB/koOeStdHos7QUiliaBdAoupG4fwfHoi2IPJPLzHfynefBykiVGmPUGjJxowJ/bWTbxwkVKGwjIWPfzqvb4R1WrUbLAh4HL//Y+uiadD07u+hOFxAf0DLHJW8E1RrDtb6Sb6hsQTvdU+3Quk6xdm1hRhKqllbP8oTpwGXW91WIZc+awIDAQAB”

The command runs without an error.

host -t TXT

–> descriptive text “v=DKIM1”
Everything after the semicolon is gone.
Ok, I can try adding additional quotationmarks

univention-directory-manager dns/txt_record create --superordinate “,cn=dns,dc=olc,dc=schnagl,dc=one” --set zonettl=3 --set name=“201902._domainkey” --set txt="“v=DKIM1; k=rsa”"

And voila
host -t TXT

–> descriptive text “v=DKIM1, k=rsa”

But when I add the key the the command the host command still delivers the same result. What I can do is just reduce the size of the key:

univention-directory-manager dns/txt_record create --superordinate “,cn=dns,dc=example,dc=com” --set zonettl=3 --set name=“201902._domainkey” --set txt="“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwmsSi6YbyPESxG20F8zA7NeTx40/PaaH6N6N6lI+5IageFUkxFskL”"

Then I get what I expect:
host -t txt descriptive text “v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwmsSi6YbyPESxG20F8zA7NeTx40/PaaH6N6N6lI+5IageFUkxFskL”

It seems it’s only working if the string is short enough. Any ideas?

It seems I found a solution. Setting a dkim record at the dns server of netcup I realized that the key is split into two halfs. I just took the lookup result and copied it to the Univention master dns:
“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvA541BSi4baHzShEQiAGd3rbnIxjpNyjKcrpp98og0Obb8SLmyxioHTlH/tCAg3h/jzVf9o03+Mb4IHEJzaAptHUzVZtn0Tt2nlSf8lX3R0vs4yo5nElvWieWev0UxLUHgjlRpX1uu3HKkFs+wCGNkme9spZeQ/WpNhRb0J/O6Dcsb18FLIW8YehwCqHnim5” “3wAdhTmHi0LZAFO9g1bPPr9t5dL1+vHUNLIh2MpnKRwieSVHtGU8SsOk8NhkRVtOafKC+5CgSuF1jc0RWyYeUZmURPevoloePCakrNyOrUcqKTUQxiP3NgvZ7/UbutmV+pKOoLoxuj7/Sft/tsNVQIDAQAB” “”

This at least gives the correct lookup result with
host -t txt

DNS records have a maximum length for each value, but TXT records may contain more than one value. That’s what you’re encountering here.

Apart from that: keep in mind that DNS records such as DKIM or SPF must be resolvable by the receiving mail server (e.g. when you send a mail from your domain to someone using a address, the Google mail servers will try to look up the DKIM record for your own domain). This in turn means that the records must be available from the public internet. It is unusual to have a UCS DNS server be reachable from the public internet, so let me ask you: are your UCS DNS servers reachable from the internet? Or are you at least using your UCS DNS as a master server for publicly reachable DNS slave servers?

Thanks for your input.

No, my DNS server is not reachable from the internet. Yes, I understand that I have to configure the dkim TXT recort at the DNS server of my hoster.

All I wanted to do is try out dkim internally before I configer the hoster’s DNS record.

Just if anyone has similar problems:
I followed
and especialle the work from

In my configuration (kopano with activated amavis) every outgoint email was signed twice. I solved this by following:

I just added an additional line
-o smtpd_milters=
The relevant part now looks like: inet n	-		n	  -		  -	 smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_client_restrictions=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=
	-o smtpd_authorized_xforward_hosts=
	-o strict_rfc821_envelopes=yes
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o smtpd_milters=
	-o receive_override_options=no_address_mappings''' % {"maxproc": configRegistry.get("mail/antivir/max_servers", "2")}

You have to recreate the by
univention-config-registry commit /etc/postfix/

I added a
service postfix reload
to make sure that the new configuration really is active.