DKIM fails

I configured virtualmin to sign with dkim.
But mail-tester and reports invalid signature.
I added my domain in “Additional domains to sign for”, entered the key in my DNS record, and it is propagated.
Whats could I check ?

On seeing this messsage I decided to make sure the DKIM was working for myself. And it’s not.

I’ve run a VirtualMin check and everything is reported as being OK. Regenerated the DKIM (just used save) and it tells me everything propagated correctly. But when I look at the email headers this is all I see :


Received: from [] (unknown [])

by (Postfix) with ESMTP id 5EED5C3EB8D6

for <>; Tue,  5 Sep 2017 12:10:07 -0600 (MDT)

DKIM-Filter: OpenDKIM Filter v2.11.0 5EED5C3EB8D6



From: Nigel Aves

I do know that this was working sometime ago, as far as I know I’ve not changed anything to do with email services.

Any ideas?

What distro and version are y’all running?

Sorry, should have added this.

Operating system CentOS Linux 7.3.1611
Webmin version 1.852
Virtualmin version 6.00
Postfix Version: 2.10.1

Is the opendkim package installed? (rpm -q opendkim)

We don’t depend on it during installation because I thought Jamie had code to install it automatically when DKIM is enabled, but maybe that’s either not working, or not true, and I need to add a dependency to our yum groups.

If it’s not installed, try installing it:

# yum install opendkim

And, maybe restart postfix:

# systemctl restart postfix

And, see if things behave differently. If so, then it’s just a dependency issue…if not, it’s something we might need to rope Jamie in on (and it might need a Virtualmin update to fix).


Debian 9: Turn on DKIM. Then go to the console and enter:

  1. /lib/opendkim/opendkim.service.generate

  2. systemctl daemon-reload

  3. service opendkim restart

For test:

netstat -natpu | grep opendkim


Yes, opendkim is installed (and it was installed automatically when I built the server). I looked at the files in /etc/opendkim and none of them are modified, but I am assuming that Virtualmin stores the info somewhere else.

I have stopped and restarted Postfix. No difference.



I did try your test netstat -natpu | grep opendkim

I believe this looks good.

[root@apache-web-server ~]# netstat -natpu | grep opendkim
tcp 0 0* LISTEN 25876/opendkim
[root@apache-web-server ~]#

I’ll ask Jamie to chime in, as he knows better what magic is supposed to happen to loop DKIM signing into the mix when sending mail.

Here’s the ticket about it, though I’ll relay back any necessary info once I understand what’s happening:

Joe. it also does not work with debian 9.

I am running Debian 8.9
Dkim is installed and running, my emails are signed but the signature is invalid.


I was looking through my log files trying to discover if this was a bug in VirtualMin or Operator Error - Me! :slight_smile:

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: connect from unknown[]

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 4A67DC3EB8D6: client=unknown[]

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 774C3C3EB8D6: client=unknown[]

Sep 8 13:37:20 apache-web-server postfix/cleanup[28647]: 774C3C3EB8D6:

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: [] [] not internal

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: not authenticated

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: no signature data

Sep 8 13:37:20 apache-web-server postfix/qmgr[3361]: 774C3C3EB8D6:, size=1565, nrcpt=1 (queue active)

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: disconnect from unknown[]

Any thoughts?


Not sure if this is a bug or not, but discovered what was wrong.

First edit the /etc/opendkim/TrustedHosts filer and add your internal network


To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts

option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts

may be added on separate lines (IP addresses, hostnames, or CIDR ranges).

The localhost IP ( should always be the first entry in this file.

Then edit /etc/opendkim.conf

and uncheck this line

Identifies a set “internal” hosts whose mail should be signed rather than verified.

InternalHosts refile:/etc/opendkim/TrustedHosts

Now dkim is written to email messages.

There should probably be an option added in Virtualmin dkim setup to add your internal networks.


My problem is different :
my emails are signed, but the signature is invalid. I have no dkim error in postfix logs

I would try:

Virtualmin -> Email Messages -> Domain Key Identified Mail

Force generation of new private key -> Yes


Here succeeded to not “”“added my domain in “Additional domains to sign for” “””"

But generate the key in the virtualserver for that domain itself!

( virtual server > server configuration > domainkey options )

Then it should be in the dns ofcourse otherwise they didn’t work, if third party external DNS you have to add this manually

If you use ase key “” default"" then problems could be there so better change “default” in what you like , you can read that her >

“”"“Do NOT enter
, as this can trigger a bug in the current Virtualmin release which deletes the

noisemarine : I already tried that.

Jfro : I already added my domain, changed the “default” prefix, and added the key to my DNS.

I mean not add your domain there in that screen but to do the key generation it in the domain virtualserver itself.
Open that screen on that domain again and you see your key to paste in dns record if needed, then you can check with dns or these keys are the same!
Ofcourse after ttl time…

And try test first by sending mail out over webmail webmin function

so go to the ones domain virtual server and generate the key there so > ( virtual server > server configuration > domainkey options )

Jfro : I cannot remove my domain from “Additional domains to sign for” : I get his error :
Finding virtual servers to enable DKIM for …
… no servers with both DNS and email enabled were found!
DKIM setup failed!

I do not host my virtual server DNS, I am using the one from my provider, but I did add my dkim key, I can see it with mxtoolbox
And there is no “virtual server > server configuration > domainkey options” menu

OK i’m only user/admin.

I have that option in menu, so i don’t know how to help you.

Then ask Joe sorry.

We are ourselves only using third party DNS for Domains DKIM with Virtualmin 6 and CENTOS is working here, but it was a fresh VM6 install about 29-08 so not a updated older version of VM.