On Tue, 14 Oct 2025 17:07:48 +0200, Jan Stary wrote: > I am setting up DKIM for this domain - > the dkim signing itself seems to be working fine, > but recipients still fail my dkim, because > > dkim=fail reason="key not found in DNS" > > Indeed, my (updated) dns record does not contain the dkim TXT record, > as nsd(8) refuses to load it (see the failing zone file below), saying > > master/stare.cz:16: Invalid TXT in text > > The TXT content is exactly what is produced by the 'openssl rsa' command > in the opensmtpd-filter-dkimsign pkg-readme. > > It *seems* that nsd refuses it as too long: when I trim the TXT record > to exactly 256 bytes, nsd loads the zone file without complain (but that's > not the actual key of course); one byte more and it's an "invalid TXT".
You need to split up the long TXT record into strings of 255 bytes or less. There are two ways to do this, see: https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns#255676 - todd
