SMIMEA record creation fails in web UI for RFC 8162 compliant hashed local-part

georgelucas0815 · February 9, 2026, 1:56pm

Hi,

I’m trying to add an SMIMEA record following RFC 8162 for email address patrick@domain.tld.

Working (non-standard):

Subname: _smimecert.patrick
Result: _smimecert.patrick.domain.tld

Not working (RFC 8162 standard):

Subname: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92._smimecert
Result: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92._smimecert.domain.tld

The hashed local-part (56 hex chars) appears to exceed the web UI’s subname length limit. The RFC requires SHA-256 truncated to 28 bytes (56 hex characters) as the first label, with _smimecert as the second label.

Question: Is this a UI validation limit? Can the record be created via API, or does the platform enforce a shorter maximum label length?

I may be misunderstanding the RFC or the correct record structure—any guidance on the proper way to create SMIMEA records with deSEC would be appreciated.

Thanks,
Patrick

peter · February 9, 2026, 3:17pm

Hi georgelucas0815,

Thanks for your message, and welcome to deSEC!

~~The issue you observed is a bug in the validation logic used in the web interface. It would be great if you could file a bug on GitHub.~~

Thanks!

Stay secure,
Peter

georgelucas0815 · February 9, 2026, 3:40pm

Hi Peter,

I forgot to cut the hash after 56 characters everything is working as espected!

peter · February 9, 2026, 3:52pm

Haha and I also didn’t count correctly and then thought it was a bug, while actually things are working as intended. Thanks for the heads-up!

Stay secure,
Peter