Cannot validate Dkim signature

SYSTEM INFORMATION
Ubuntu 22.04.01
Webmin version 2.0.13
Virtualmin version 7.5

Hello,
I have enabled DomainKeys identified Mail and everything seems to go well. Virtualmin enables it without any error and creates the dns record.
I use cloudflare and I create the same record for dkim. I have tried to use quotes without and many other solutions that I find on the internet but none seems to work.

I always end up to an non valid signature.
I use www.mail-tester.com and
https://dkimvalidator.com/

to check the results.

I get the following message

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid

Thank you in advance

When you added the DKIM into the DNS did you remove the quotes " at the end of each line. I had to as the DNS server I use didn’t like them.

Hi and thank you for your reply,

I have test it in many ways. With or without "
It strange that at
https://dkimvalidator.com/results
I get at first screen

Validating Signature

result = pass Details:

and at the bottom
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid

so do I but I can deliver mail correctly so perhaps ignore it, send a message to a remote address that you can view and read the headers back you may not see that error

I use mxtoolbox.com. it has a DKIM lookup that will report the exact problem.

oddly just tried mxtoolbox and no errors, but if your getting an error it points to a dns issue. did mxtoolbox report a valid nameserver ?

mxtoolbox for DKIM check reports no errors but at
Google header check
I get
DKIM: ‘FAIL’
and inside the header I get
dkim=temperror (no key for signature)

is opendkim running on your server?

sudo systemctl status opendkim

yes it is running

Have you checked the logs when sending out an email if opendkim is adding DKIM-signature?

In the System Log Viewer open mail.log and filter your search to opendkim

See if it’s working correctly.

The domain your sending via, is it listed in the Extra domains to sign for section.

check this post, you may have named the dns TXT entry incorrectly.

I think there is non need to put them there. By default belong to the
Domains currently signed for
Vistualmin creates the appropriate records for these domains
I have checked it and it is named as created by virtualmin
selector._domainkey.domain.com

I also tried to change the selector but it is stuck to the initial value in the signed emails, so I have changed it back.
Another clue is that it is not possible to generate a new key.
The key always remains the same.

like cyberndt said have you checked your logs for the keys.

Hi ,
I am not sure if this is the normal behavior but in the mail.log
there are lines
DKIM-Signature field added …
also the signature exist when checking the mails but it is not valid .
And for sure virtualmin cannot generate a new signature.
It always display the same signature.
and the same applies for the selector. It is not possible to change it.
All these define a misbehavior of DKIM.

Changing the selector is not relevant here. When you copy and paste the key into cloudflare make sure you are doing it correctly as they allow.
There should be instructions on their end on how to do it.
In most cases you need to make sure all quotes are removed and from where the key itself starts make sure all quotes and spaces are removed.

If the opendkim is showing that it is adding the key to all domains with no errors in mail.log than the first place to look for problems is at the dns level.

You can also check by sending an email from one account on the virtualserver to another and view the headers from your end in read user mail.

Thank you cyberndt for your reply,
I just mentioned about the selector to state that Dkim scripts have more than one issue. I have checked the logs and cannot find any errors.
The signature is present tot the outgoing emails and I have checked.
The problem is that all the mail checker programs state the signature is invalid.
Indeed I use Cloudflare and I am very careful to delete an quotes and spaces but with no luck.
I use dkim signatures from other cps into cloudflare which they work without any issues.

I have also removed opendkim and reinstalled it, cleared any dkim key and recreate them.
It seems that the dkim always generates the same private and public keys which for sure states a malfunction.
I guess that it does not generates properly the key and indeed is not valid, but I cannot find any way to generate a new different key.
I also noticed that the opendkim version which is used is a beta version.

I will try to built a fresh server and see if I have the same issues.

I have deleted all the DNS records for this domain and copied the dkim key from “suggested DNS Records” field and worked.
I have copied the key from “v=DKIM1; …”. I have kept all quotes spaces as there were.
Maybe at the DNS Record Edit field the txt editor was adding or altering any character.
Thank you all for your replies.

the quotes and space between quotes do not work in my dns server, you need to remove them.
If you use mxtoolbox you should be able to match what the key should be and what is being seen in the txt record. The only quotes you should have in the txt record is the leading and ending and no spaces.

Cloudflare has no issues.
I have checked with
https://dkimcore.org/tools/keycheck.html
https://dkimvalidator.com

But maybe other dns providers have.

Not sure why you having a issue sorry. If you dkim is getting validated it should work.

Steve
P.S. This is my settings.
image