DKIM Invalid - but email arrives

OS type and version Ubuntu Linux 22.04.3
Webmin version 2.105
Usermin version 2.005
Virtualmin version 7.9.0
Theme version 21.09.5
Package updates All installed packages are up to date

Thunderbird User is receiving emails but reports that:
DKIM Invalid

As far as I can tell DKIM is valid for the domain.
and yes it is listed under “Domains currently signed for”

If you have a gmail address, send a email to that address and use Show Orginal when you get it, you should see


try something like this

@stefan1959 @shoulders
Both suggestions tried from my Usermin account on that VS
Neither email arrived! - (it was my gmail account)
I sent an email to that user as well - it arrived and was returned to me with the same complaint.

When i use I cannot see my DKIM keys, but Virtualmin shows them.

The DKIM Validator, did it just say failed or was there any more information?

You could try turning DKIM on and off? that might help.

It just said failed several times "nothing seemed to be delivered - just as the gmail account.

can you see the key using this tool: DKIM Key Checker | protodave

the selector will be the first bit of the entry in Virtualmin. for me this is a date.

This seems a little bwetter:

that tool gave me “No DNS TXT Record found”

An example from virtualmin is

Selector: 202306

I would disable DKIM, and then re-enable it.

Is the DKIM TXT entry actually present in your domains DNS record in virtualmin?

I did restart it before sending out the emails.
I do not understand the no TXT record as it is there!

( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw10TOgVmiTkKn" "GBvbrfQFvZLMwkjxQjyz6v0KyhxPcBBVvJLw81OY18mdqrEk0AQAc0d0yK05B6EKzdfyFT20jwj0Zx3p" "dwgBm87V1FSLhSGsM3FIFHrjmEq9El8w9g77STXiYrRKKOYYGhZ9rS9mnACfzsHh18RQKDJp5SsyLG/M" "II1Uy/zbxJpNuUrQVsTMGjlvLKZray8HHyML+nDeS2lL35H/N3YEQzQ1GQrZk5MdBIq9s3HSAlM6rx1Y" "qVpRFpQj9OSSDTvmqmvMN35mZg6XZOnGS5WQnqXB0s4sAw5Rik7jZnLlP8Wi8zQUbnZXydAqNRFz+ykY" "1lRQ2p1cQIDAQAB" )

Selector 202304


  • the outgoing email is getting signed but for some reason they cannot see your TXT record for the DKIM.
  • the key pair are invalid.
  • Virtualmin is not presenting the DKIM key when correctly requested.

I would concentrate on using those online DKIM validators and trying to see your DKIM TXT entry. This is the main issue.

Disable DKIM

  • Disable DKIM and make sure you can get email delivered.
  • Reboot server and then re-enable DKIM but force key regeneration.

can you DM me your domain and I will have a look at my end.

What is the status of opendkim on the server sending the email?

sudo systemctl status opendkim 

Does opendkim show up in postfix mail.log that is running without any errors before it sends out the email?

Check that your domain NS records point to your Virtualmin NS; you should have at least 2 nameservers deployed in a domain zone. It is a clear sign the tool did not not reveal the DKIM TXT record. In case you chose external nameservers then deploy Virtualmin generated DKIM records inside your zone.

This belongs to you Stegan :slight_smile:

Who is hosting the DNS? Is that on your end or with another provider?

I have my dns at NameSilo. When I add DKIM txt record I have to take off all the quotes and delete spaces or it won’t work. I have read some want the string broken with quotes or it is too long and some don’t. If virtualmin is handling it I would assume that is not the problem since they furnish the txt.

First, I’d like to say thank you to all who have contributed a solution.

A little more backgroud:
This VS has been running since April 2023 with little or no intervention from me.

Emails are delivered OK and as far as I am aware have been since April 2023.

The user reported this error from using Thunderbird email client

The VM is a Liode box and the DNS has been managed on there control panel not in Virtualmin.
There are 21 VS on this box (only 4 of whicch have email all with DKIM enabled)
Only 2 are what I would call production - which limits my frequent rebooting.

I have again checked the DNS settings for this VS and the records are exactly as presented by Virtualmin under Virtualmin ->DNS Settings -> Suggested DNS Records

I have stopped and restarted the VM (all packages declared are up to date)

I have installed Thunderbird on my local machine (Windows) and can confirm it is a newer version (115.6.1) possibly why these DKIM record checking has popped up) nd can confirm that that initial error message is being displayed. At least I now can continue to test to resolve this without the round trip to contact the user.

I have forced generation of new private key, copied the TXT record, and rebooted again.

I still cannot seem to be able to send a test to gmail (but that could be due to google’s insistence on valid DKIM) Sending an email to DKIMValidator also seems to fail.

However that other tool “dmarcian” has at least produced a response.

There is something wrong with your DKIM record.
Access/bookmark this inspection at dmarcian/dkim-inspector/?domain=*.&selector=202304

DKIM is present but is not valid.
( "v Unsupported. Will be ignored.
The public key contains invalid characters.

So I guess that says it all. The details in the TXT record are incorrect.

So next I’ll try @popmay suggestion of removing quotes and spaces and try again

Don’t take out the spaces after v=DKIM1; k=rsa; t=s;

did that (and rebooted) - but that tool is still saying invalid

are the brackets not required?
why has the public key “invalid characters”?

must I reboot after every change to the TXT record (or is there a propagation delay like for A/AAAA/NS records?

With my registrar no brackets

If your running a external DNS then no as you said, external dns can take time to propagate due to cache (TTL setting effects that)

Even if you ran the dns its only bind that need restarting and if your editing in Virtualmin, then virtualmin will look after the reloading.

so you should have this setting then?

Your server is not effecting any of the records.

Who runs your dns?