Does the traefik v2 acme.json contain the private, public, ... keys?

I see that acme.json changed in v2. it looks like the following:
"sslcertresolver": {
"Account": { ...
"uri": ""
"PrivateKey": "my private key",
"KeyType": "4096"
"Certificates": [
"domain": { ...
"certificate": "my cert"
"key": "hey thereee",
"Store": "default"

I see that private key is private key. Is "key" the public key ie .pub? Is certificate the .cert file?
Can I extract these for my .pem, .pub, and .cert files?

Follow up, if so, I think DKIM DNS records want a 1096 size key (some allow a longer 2096 size key ; might be slightly off on the size). Is there a way to get traefik to play nice with this size of key for the DNS record?

Much appreciated.

I do see that traefik can make the 2048 key. Hoping that will work in place of the 1024 key.

I don't see how DKIM relates to traefik/acme at all.

So an example DKIM record pulled off the internet looks like the following:

k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MVaESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJwIDAQAB

The p= is the key provided by the server. Traefik can be set to make a 2048 RSA key then ends up in stored in the acme.json file. So the key can be extracted from acme.json then placed into the DKIM record to set up a mail server, hence my question.

@DavidF DKIM key and a webserver key are not related nor should be.

I am not sure I follow. Looking at quite a few guides at setting up mail servers, they typically obtain a validated SSL/TLS cert by completing a http challenge. This then allows them to carry out more secure email over safer ports rather than their defaults. This typically requires a web server to complete that initial challenge to obtain that certification. The DKIM DNS record typically uses a 1024 or 2048 size RSA key that is then based on this certification that enables other servers to validate the mail.
Am I mistaken in this thinking?

To me, it seems relatively straightforward to pass this process to traefik to create that 2048 RSA key on a docker container containing the mailserver which then handles automatic renewal and what not for me. My VPS provider also allows updating the DNS records via REST API which I then can put into the container so that when traefik renews / updates the cert, the DNS records remain updated, saving me a lot of time and pain. This is my thinking at least.

Edit: also, this key would not be my webserver key by any means. The emailserver would have just this key.

For TLS for the mail transport yes a certificate is used. You won't be able to do this natively within trafik though as SMTP does not initiate using TLS, it uses opportunistic TLS after connecting on a unencrypted TCP socket.

That is not DKIM however, DKIM is for signing mail so that other MTA's know that the sender is legit. The public key is what is published in DNS and does not require a chain of trust like TLS.

For the first dilemma, could you not have traefik route for both the unencrypted and encrypted (S)MTP socket?

For the second dilemma, is the public key in the DKIM not the the public key of the TLS certifcate used to encrypt traffic for the SMTP socket?

I am following this guide with tweaks for reference


No, the connection is always initiated plain text on TCP 587(or 25) then STARTTLS if it is supported by the MTA. SMTPS(465) was for smtp on a TLS initiated connection but its not used

Like I previously said, there is no relation between the two. Any DKIM keypairs I create are standalone from anything else. Could you use the public key from an x509 certificate? Probably, but not worth the effort, and why would you lower your TLS security to achieve it?

So traefik could not really work well with a email server I suppose? Back to the drawing board.

You look correct about the DKIM record. So moving away from that topic.

Can you explain to me why this guide uses acme-client to get a TLS cert for his mail server. I am following his guide super closely. My issue comes into play in trying to get the TLS section to work with traefik. Is there a better way to do this?

See the Guide link above. I would be super appreciative!