I have a DKIM mismatch in mail-tester.com (I shorted the keys, took some out in the middle). The header injected signature is wrong, and I have no idea where that comes from. The public key is correct (same in Cloudflare).
In my logic that means the mail server injects a wrong DKIM record into the header. But I wonder where that come from?
Here’s a simplified overview of how the b= signature is generated:
Canonicalization: The email headers and body are canonicalized, which means they are converted into a standard format. This step ensures that minor variations in formatting (like line breaks or spaces) don’t affect the signature.
Hashing: The canonicalized headers and body are hashed using a cryptographic hash function (usually SHA-256). This produces a fixed-size string of characters that uniquely represents the content.
Signing: The hash is then encrypted with the sender’s private key to create the signature. This encrypted hash is what you see in the b= tag of the DKIM-Signature header.
Adding the Signature: The b= tag is added to the DKIM-Signature header, along with other tags like v=, a=, d=, s=, c=, h=, and bh=. The b= tag contains the actual signature value.
When the recipient’s mail server receives the email, it uses the sender’s public key (published in the DNS) to decrypt the b= signature and compare it with a newly computed hash of the received message. If they match, the email is considered authentic and unaltered.
Virtualmin does not inject anything into email headers, if anything the application that sends the mail or your mta may inject headers, what application are you using to send mail and I am guessing your mta is postfix ?
Yes, I use Postfix. I can’t see what get’s injected or if that makes sense. Seems mail-tester and gmail don’t like it. This said, I 7/10 in mail-tester. DKIM is the big issue.
have you sent an email (that you have access to) address (not gmail or microsoft) and viewed the incoming headers to see exactly is in there ? if you want I’ll pm you an email address & I’ll look at the headers and report back with the findings
Do not do that, you don’t know what system its getting that information from.
Virtualmin should set everything up to work do not play with postfix unless you know what your doing.
has the domain been added to the signed domain section.
The Canonicalization for the body is set to “simple”. This can lead to problems when verifying the email signature. We recommend setting it to “relaxed” for header and body. Learn more in our knowledge base.
Will need to look into that …
-------- other question…
In virtualmin > domain > DNS Settings > DNS DKIM Record … I set to use default key or the key below?
The key seems to be the issue. Instead of c=relaxed/simple; it wants c=relaxed/relaxed; - but so far I didn’t find where to change it.
However, setting it relaxed/relaxed makes it even worse. simple/simple is same as relaxed/simple - will leave it like that.
Update:
Looks like somehow there was a small mismatch between the generated DKIM DNS records and what I put in to Cloudflare. After changing that still fail, but no more "error": "bad signature", "explanation": "crypto/rsa: verification error", - I tried again switching to relaxed/relaxed - and this time I got an all green.