DKIM mismatch (in mail-tester.com)

SYSTEM INFORMATION
OS type and version debian 12
Virtualmin version 7.20.2

I have a DKIM mismatch in mail-tester.com (I shorted the keys, took some out in the middle). The header injected signature is wrong, and I have no idea where that comes from. The public key is correct (same in Cloudflare).
In my logic that means the mail server injects a wrong DKIM record into the header. But I wonder where that come from?

I do get DKIM correct in mxtoolbox.com

from mail-tester.com >> The DKIM signature of your message is:

v=1;
	a=rsa-sha256;
	c=relaxed/simple;
	d=domain.com;
	s=202408;
	t=1727826680;
	bh=Jk9K+2wgSsc6AqCgu7RrUMiQeaK3AFroGI5H7YMN/1Y=;
	h=Date:Reply-To:To:From:Subject:From;
	b=sWKQrV1lFUuhjHeu/CXH9+sfK0xxmpo0By+rrNmrRLWHUnalZJA+lVnd1RB9P+f/dbOQb9v5+RMVxeaN9h3PAWAtps4J52RVU3Eov3c754tyXMTaE3BCwbSN+b58g2tNHVLdp6EQChPFnNuElRbOJB1P/fpNrE1CM3wj+p3YLVlE1lY8DdSmbuyWwPRXlE0jH8slqXU2FJn2SxFUknNhdEZZlNFYQ0a6yUz5MAsgkuv0bNy3k7hrG+dKJE0NUao5eCrPxr1MXlLicnAm8IhGW5zyjJzeGP5Zx0UsTWRPhEeG1snxKix9mUN3ISi2MR5iCitD/UKloGfUINipC372Jg==

(20248 is the correct DKIM selector)

from mail-tester.com > that’s the one in DNS and set in Cloudflare, the correct one)

Your public key is:

"v=DKIM1;
k=rsa;
t=s;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoz/9gG72jkRsFd5s7LKPpAa4TwwTN1ba+T/mZIhB0U8p68pzX4V/er0wQPf6TUeNNzWWolBk2bwoc456NUwdj79Hj0XX1novfEktTUMQLleykpP5Ey6sj+F+BzY5l6mJChY213jDn6a0WF7vSVsifvl0i9aEQzg4X8C8rD9Cr5wAeH0oKKwQmXGH92awoLPtupmO04UvTD9MfKL7K+UefhA4X8Z/BLdDpV7MnqdIgD12Vj6Y7497zE1h1IphOBfVIS918GKA0N37GRZV0cfDlfN5IDbtj55jhtDqerc+1GzP8TFBqo7yGAywoalY1ip9UBA4QAepesJ7M/0x85b8xwIDAQAB"

From a received test mail

DKIM-Signature:
v=1; a=rsa-sha256; c=relaxed/simple; d=domain.com; s=202408; t=1727831050; bh=I0DTSwAbHFE8GPCzbnctQwnUV55s9OMAcKP2GrLI0BI=; h=Date:From:To:Subject:From; b=DVHVipmZmLXBkraddWPDbtpAw2gAWc/fakps9wEoxzIePPOerBw0VY1v7QIS8h+LE tM0R3hZZD3aqu+Gj8k5B1EWMf1xfAiEGcxf5cdL1chy0yoCMIkNo9Q0Vk8lKJsF4FG iJs3YUOlrvUhtatZNDKjxnAuxSiQii3aTaH4VhjyRfUi2LkjlyFU4vUfZc6B+L+7N3 KMx6RtOZFMySIwVZ+2GQnPc1O91aK8kxA95DamE5Rz5hN1a+QjwYL7UGVkJcY3SmB/ AdVrMldJ60bqjBL9AL5mP26Hhed4mP4fWm5xsWEkBvFLm/MTNSXwR5/ozv38+RjzRD +cDHVSldkxCRw==

So where does the injected data comes from?

Since this a new server, the virtual domains are newly installed and not restored.

What do you get when test on mx tools? Does it pass?

Copilot gave me this on the b= signature.

Here’s a simplified overview of how the b= signature is generated:

  1. Canonicalization: The email headers and body are canonicalized, which means they are converted into a standard format. This step ensures that minor variations in formatting (like line breaks or spaces) don’t affect the signature.
  2. Hashing: The canonicalized headers and body are hashed using a cryptographic hash function (usually SHA-256). This produces a fixed-size string of characters that uniquely represents the content.
  3. Signing: The hash is then encrypted with the sender’s private key to create the signature. This encrypted hash is what you see in the b= tag of the DKIM-Signature header.
  4. Adding the Signature: The b= tag is added to the DKIM-Signature header, along with other tags like v=, a=, d=, s=, c=, h=, and bh=. The b= tag contains the actual signature value.

When the recipient’s mail server receives the email, it uses the sender’s public key (published in the DNS) to decrypt the b= signature and compare it with a newly computed hash of the received message. If they match, the email is considered authentic and unaltered.

On MX tools I get same what you get - all green. Got all green from other DKIM test sites too.

I used the records generated by virtualmin (without the “”).

It seems that just what virtualmin injects in the email header causes a problem. Gmail seems to reject my mails completely.

This said, I was fine on the old server. DKIM was set in Cloudflare and I believe that the old virtualmin 6.08 didn’t inject the DKIM in the header.

Virtualmin does not inject anything into email headers, if anything the application that sends the mail or your mta may inject headers, what application are you using to send mail and I am guessing your mta is postfix ?

Yes, I use Postfix. I can’t see what get’s injected or if that makes sense. Seems mail-tester and gmail don’t like it. This said, I 7/10 in mail-tester. DKIM is the big issue.

have you sent an email (that you have access to) address (not gmail or microsoft) and viewed the incoming headers to see exactly is in there ? if you want I’ll pm you an email address & I’ll look at the headers and report back with the findings

Yes I did. That’s the last code block in my top post. Well, I don’t know how it’s supposed to look like.

In the meantime Copilot AI ask me to add a milter_protocol = 6 in /etc/postfix/main.cf and restart postfix and openKim.

For today I am out of mail-tester checks, they allow only 3 per day. In case someone knows a similar site please let me know.

Do not do that, you don’t know what system its getting that information from.
Virtualmin should set everything up to work do not play with postfix unless you know what your doing.
has the domain been added to the signed domain section.

1 Like

Thanks for the screenshot. The domain in question is included. Other settings are same as yours.

Found another checker, redsift.com

{
    "error": "bad signature",
    "explanation": "crypto/rsa: verification error",
    "source": 0,
    "tag": "b"
}

The Canonicalization for the body is set to “simple”. This can lead to problems when verifying the email signature. We recommend setting it to “relaxed” for header and body. Learn more in our knowledge base.

Will need to look into that …

-------- other question…
In virtualmin > domain > DNS Settings > DNS DKIM Record … I set to use default key or the key below?

image

The key seems to be the issue. Instead of c=relaxed/simple; it wants c=relaxed/relaxed; - but so far I didn’t find where to change it.

DKIM-Signature:
v=1; a=rsa-sha256; c=relaxed/simple; d=domain.com; s=202408; t=1727831050; bh=I0DTSwAbHFE8GPCzbnctQwnUV55s9OMAcKP2GrLI0BI=; h=Date:From:To:Subject:From; b=DVHVipmZmLXBkraddWPDbtpAw2gAWc/fakps9wEoxzIePPOerBw0VY1v7QIS8h+LE tM0R3hZZD3aqu+Gj8k5B1EWMf1xfAiEGcxf5cdL1chy0yoCMIkNo9Q0Vk8lKJsF4FG iJs3YUOlrvUhtatZNDKjxnAuxSiQii3aTaH4VhjyRfUi2LkjlyFU4vUfZc6B+L+7N3 KMx6RtOZFMySIwVZ+2GQnPc1O91aK8kxA95DamE5Rz5hN1a+QjwYL7UGVkJcY3SmB/ AdVrMldJ60bqjBL9AL5mP26Hhed4mP4fWm5xsWEkBvFLm/MTNSXwR5/ozv38+RjzRD +cDHVSldkxCRw==

Found it! It’s in /etc/opendkim.conf

However, setting it relaxed/relaxed makes it even worse. simple/simple is same as relaxed/simple - will leave it like that.

Update:
Looks like somehow there was a small mismatch between the generated DKIM DNS records and what I put in to Cloudflare. After changing that still fail, but no more "error": "bad signature", "explanation": "crypto/rsa: verification error", - I tried again switching to relaxed/relaxed - and this time I got an all green.