We have tested DKIM record for a VM on all websites that offer online checking services. We have not identified any issues. However, Gmail and Yahoo! do not agree that the canonicalization should be set to simple/simple. If you analyze the original message received in a Gmail mailbox, you can find that the DKIM test has failed. If it still passes, then please take a look below in the message in the row that starts with DKIM, it shouldn’t be simple/simple, just
This is a warning from Email Security Scan related to simple/simple validation after testing the VM.
Using simple canonicalization can cause validation issues; Consider relaxed/relaxed instead.
Adding further headers to your signature might be useful, see RFC6376 Sec. 5.4: content-type:message-id:mime-version
The main problem, Virtualmin doesn’t allow to change the canonicalization in the interface.
A similar problem was reported here and it got no answer
I analyzed this issue in detail and came to the following solution.
First of all, any change of the DKIM values in the Virtualmin interface must be accompanied by a restart of the opendkim service. Simply pressing the [Save] button does not restart the service, perhaps this should be analyzed by the Virtualmin team if a change is requested. I think so, because every time I generated new keys, Gmail didn’t pass, but after I restarted the service, it passed immediately.
Secondly, those who want to make changes to the canonicalization, unfortunately this cannot be done in the Virtualmin interface, perhaps this option should be introduced in the DKIM section and the 4 variants should be selected from a drop-down list. Until then, the change is made in the /etc/opendkim.conf file and then the opendkim service is restarted. Below are the options that can be used in the file and what is their effect in emails.
Canonicalization simple
as result DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple ( this is the default)
Canonicalization simple/relaxed
as result DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed
Canonicalization relaxed
as result DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple
Canonicalization relaxed/relaxed
as result DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed
Thirdly, we can go further with DMARC settings, the strict versus relaxed alignment, aspf (SPF) and adkim (DKIM), which can take the values s (strict) or r (relaxed). E.g. as result
Addendum: Based on RFC 6376 we should use relaxed/relaxed from now on. The default value simple could be OK but can generate issues especially with email services like Gmail and Yahoo!.
This feature should be in Virtualmin interface, I would go further and set canonicalization in the Virtualmin installation process to the relaxed/relaxed value. Also when we save the DKIM configuration or generate new keys to add a new step restarting the opendkim service too.
@Jamie, I think we should switch to relaxed/relaxed indeed. Many organizations these days prefer relaxed/relaxed including GitHub, Protonmail and many other.
Virtualmin doesn’t actually change that Canonicalization setting at all currently - instead we just go with the package default. But if relaxed/relaxed is better, we could change it as part of the DKIM enable process.
relaxed/relaxed mode is more forgiving against innocent modifications that might occur as the email passes through various systems. As a result it has better deliverability with intermediary systems. For example changing multiple spaces or tabs to a single space, or adding/removing whitespace.
The risk using this mode is generally considered to be minimal.
In relaxed/strict mode if the body of the email is altered in any way, by mailing list for example, or other intermediaries, the DKIM signature will simply break.
I checked Debian OS versions 9 to 12. All have canonicalization set to simple/simple. This is the default value.
After posting here I changed all my servers to relaxed/relaxed. One of them had problems with Yahoo!, the messages ended up in SPAM. I didn’t pay much attention to whether or not it passed their DKIM test because I knew I had a valid DNS record. Well, with the change I can send messages without subject and body that arrive in the Inbox. Looking at the source message, their DKIM test passed, as did the others. Same for Gmail, Protonmail, Tutanota.
Indeed, it’s a powerful tool that I discovered a few months ago. After you give [Reply All] to the message received from them, a lot of tests are done in the background, it’s basically a complex checker which sends requests to different servers. I discovered this after I received a message that said the email address was not valid. In the message body there were a lot of places where my message ran.