DKIM not working, sending with signature, or discarding

followed URl for DKIM install:
https://www.virtualmin.com/documentation/email/dkim/

DomainKeys Identified Mail is configured:
“Finding virtual servers to enable DKIM for …
… no virtual servers with DNS and email enabled were found, but enabling for 2 extra domains
Extracting public key from private key in /etc/dkim.key …
… done
Setting domain and selector in DKIM filter configuration …
… done
Enabling DKIM filter at boot time …
… done
Starting DKIM filter …
… done
Configuring mail server to use DKIM filter …
… done”

MX toolbox check says the DNS entry is correct, DKIM signature is valid
when i send an email to https://dkimvalidator.com/, it says ‘no DKIM signature’

also, i am not rejecting spam for some reason, even tough spamassassin installed and all config seems ok

Help !
Thanks, Rob

First, do you host your own DNS. Seems common here that people are using someone else. Also, sometimes these changes might take time to propagate.

If the answer to that is no, then:

Virtualmin > Server Configuration > DNS records

image809×190 25.8 KB

I have a separate DNS, and so disabled webmin/virtualmin DNS via following:

https://forum.virtualmin.com/t/mass-disable-plugin-bind-dns/38064

Used:

virtualmin disable-feature --all-domains –dns

Note, BIND DNS server s installed, but each virtualmin is disabled

image006.png1478×93 15.3 KB

Note, on the DKIM in my DNS, I have list the signature a single long list, without the split up “ “ around each section.

So now I have v=DKIM1; k=rsa; t=s; p={very long continuous line}

I test in MXToolbox and it says the DKIM signature is good without all the split up sections, so don’t think its my DNS, I think the issue is a Webmin/Virtualmin setting

Also my DMARC is correct, tested by mxtoolbox

I installed the server with DNS, and only yesterday made the change above, which now shows as correct, so not 2 competing DNS anymore

But maybe a config issue, could be DNS or Postfix or Spamassassin

Rob

Then you must make the changes there. If you point the DNS away from your Virtualmin server then the world is not gonna look there for records.

Agreed, but I don’t think this is a DNS problem, as MXToolbox says DKIM and DMARC are all correct.

I think its some problem with webmin not actually sending with DKIM, or checking incoming with DKIM

Rob

Again, these records need to be on the machine that serves out your DNS, NOT on your WM/VM machine. How can the local machine check anything if the records are elsewhere?

I have a separate DNS server, it’s the same company as the registry, hence the DNS is totally separate server to my VPS server (Webmin/Virtualmin)

The DNS on Webmin is disabled

MXtoolbox says the records are correct.

The validator site isn’t checking YOUR machine which is where the records for DKIM and SPF are unless you also put them the separate DNS server you are using with your provider.

We seem to be going in circles here. If your machine isn’t the DNS server then NOTHING you see on your server counts for anything.

The validator site is looking at your provider, not your machine.

That does not make any sense. The DNS server has the IP address for the separate VPS (see A records), hence any DKIM records pass to the IP address of the VPS… so they can be seperate

I’ll stand corrected if wrong, but I don’t think that is what happens.

Just try putting your DKIM, DMARC and SPF on your DNS host and see what happens. My bet is they work. DNS doesn’t pass through anything. That is why these are in your DNS records.

Easy way to find if its all working, send a email to a gmail account if you have one. If the email gets to the account ok, on the right side click the 3 dots, from the drop down select “show original”.
There you should see.

image1250×201 6.02 KB

image003.png830×141 8.51 KB

I see SPF and DMARC, I don’t see any DKIM

There is no mention of DKIM in the header (show original), not even a fail,

image004.png1370×322 54.4 KB

Ha, got it to work on outbound !!:

image002.png990×508 43.9 KB

In the Virtualmin setup:

Email Settings → DomainKeys Identified Mail

I had in the ‘Extra domains to sign for’ the name of the server called ‘server’ and the name of the server and server.domain.com

So I added just dimain.com, so all 3 listed, and it now signs DKIM

image005.png1127×625 45.1 KB

image007.png830×141 8.73 KB

image012.jpg1370×323 134 KB

ok, so outgoing email is now signed.
but incoming, still got a persistent spammer, ugh
see below (sorry for the long post)
see DKIM_INVALID, dkim=fail. so why did Virtualmin allow this to pass ?

Return-Path: <>

X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server.domain.com

X-Spam-Level: ****

X-Spam-Status: No, score=4.0 required=5.0 tests=BAD_ENC_HEADER,BAYES_00,

DKIM_INVALID,DKIM_SIGNED,HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_32,

HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_BL,

RCVD_IN_MSPIKE_L3,RCVD_IN_SBL,RCVD_IN_SBL_CSS,RDNS_NONE,SPF_HELO_NONE,

T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no

version=3.4.2

X-Original-To: info@domain.com

Delivered-To: name-domain.com@localhost.localdomain

Received: by server.domain.com (Postfix)

id 4C509B1606; Thu, 22 Jun 2023 13:10:31 +0000 (UTC)

Delivered-To: info-domain.com@localhost.localdomain

Received: from o1.ptr6955.ncare.nl (unknown [103.186.116.160])

by server.domain.com (Postfix) with ESMTP id 075F2B15D4

for info@domain.com; Thu, 22 Jun 2023 13:10:31 +0000 (UTC)

Authentication-Results: server.domain.com;

dkim=fail reason=“signature verification failed” (1024-bit key; unprotected) header.d=news.foodnetwork.com header.i=@news.foodnetwork.com header.b=“hNB+JCsJ”;

dkim-atps=neutral

Received: from AS4P250MB0416.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:4c3::20)

by DB9P250MB0451.EURP250.PROD.OUTLOOK.COM with HTTPS; Tue, 20 Jun 2023

19:48:22 +0000

Received: from MW4PR03CA0011.namprd03.prod.outlook.com (2603:10b6:303:8f::16)

by AS4P250MB0416.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:4c3::20) with

Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.42; Tue, 20 Jun

2023 19:48:19 +0000

Received: from MW2NAM10FT104.eop-nam10.prod.protection.outlook.com

(2603:10b6:303:8f:cafe::85) by MW4PR03CA0011.outlook.office365.com

(2603:10b6:303:8f::16) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.37 via Frontend

Transport; Tue, 20 Jun 2023 19:48:19 +0000

Authentication-Results: spf=pass (sender IP is 137.22.224.206)

smtp.mailfrom=news.foodnetwork.com; dkim=pass (signature was verified)

header.d=news.foodnetwork.com;dmarc=pass action=none

header.from=news.foodnetwork.com;compauth=pass reason=100

Received-SPF: Pass (protection.outlook.com: domain of news.foodnetwork.com

designates 137.22.224.206 as permitted sender)

receiver=protection.outlook.com; client-ip=137.22.224.206;

helo=137.22.224.206.jfk.braze.com; pr=C

Received: from 137.22.224.206.jfk.braze.com (137.22.224.206) by

MW2NAM10FT104.mail.protection.outlook.com (10.13.155.208) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

15.20.6521.23 via Frontend Transport; Tue, 20 Jun 2023 19:48:19 +0000

X-IncomingTopHeaderMarker:

OriginalChecksum:7497CA1351BF1AE90AD024580DF24266AE9476857639FD43F5D7278D8E2D8307;UpperCasedChecksum:5A0DBBE578547D960C0DEDB16AEBF189F0E37A2BE9BE347D2AE1BC6C8200A726;SizeAsReceived:1100;Count:10

X-MSFBL: tkJ03dJvirEGSg6lqoYLzQcXIvikVF03yLgDB9bMqoE=|eyJyIjoiam5hbm1hcmF

3YUBob3RtYWlsLmNvbSIsImN1c3RvbWVyX2lkIjoiMjY2NjkzIiwibWVzc2FnZV9

pZCI6IjY0OTE3ZjAyOTI2NGY5ZjY4YjUwIiwic3ViYWNjb3VudF9pZCI6Ijc5MyI

sInRlbmFudF9pZCI6InNwYyJ9

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=news.foodnetwork.com; s=scph0223; t=1687290495;

i=@news.foodnetwork.com;

bh=V/HbgTmtsoTCJpCP3zvdxiDXpjdslAdzSpPPFyW05+4=;

h=To:Message-ID:Date:Content-Type:Subject:From:From:To:Cc:Subject;

b=hNB+JCsJtnKsjDE0quCKJ6MolwJ7TIcjcBO6u38dwEfqfprNPRvAUhHLylQCh0HGy

eULufuAMC7OTH/mQQVOgoIinG+zSU8rmT6a64pdFt9Om8W9ZFexI7BN2GMcZLFbxxJ

K3ywnqCjxyUtv5AcXHDlRapElTspeg8kSS+evjII=

To: info info@domain.com

Message-ID: B8.05.47712.khEKK18M@jl.mta1vrest.cc.prd.sparkpost

Date: Thu, 22 Jun 2023 15:10:24 +0200

Content-Type: text/html;

Subject: =?UTF-8?Q?Congrats! You’ve Been Selected For $100 CVS Reward?=

From: “=?UTF-8?Q?CVS Shipment?=” info@domain.com

X-IncomingHeaderCount: 10

X-MS-Exchange-Organization-ExpirationStartTime: 20 Jun 2023 19:48:19.2523

(UTC)

X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit

X-MS-Exchange-Organization-Network-Message-Id:

ac0455e7-aecb-49ac-0382-08db71c74c1e

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic:

MW2NAM10FT104:EE_|AS4P250MB0416:EE_|DB9P250MB0451:EE_

X-MS-Exchange-Organization-AuthSource:

MW2NAM10FT104.eop-nam10.prod.protection.outlook.com

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-UserLastLogonTime: 6/20/2023 5:38:23 PM

X-MS-Office365-Filtering-Correlation-Id: ac0455e7-aecb-49ac-0382-08db71c74c1e

X-MS-Exchange-EOPDirect: true

X-Sender-IP: 137.22.224.206

X-SID-PRA: info@domain.com

X-SID-Result: PASS

X-MS-Exchange-Organization-PCL: 2

X-MS-Exchange-Organization-SCL: 1

X-Microsoft-Antispam: BCL:0;

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jun 2023 19:48:19.1585

(UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: ac0455e7-aecb-49ac-0382-08db71c74c1e

X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-AuthSource:

MW2NAM10FT104.eop-nam10.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:

00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P250MB0416

X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.6097526

X-MS-Exchange-Processed-By-BccFoldering: 15.20.6477.035

X-Microsoft-Antispam-Mailbox-Delivery:

….

X-Message-Info:

….

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0z

X-Microsoft-Antispam-Message-Info:

….

MIME-Version: 1.0

OK, so previously i had followed the below URL to setup SPAMASSASSIN and PROCMAIL, i did this 2 years ago when i built my VPS with Webmin
But for some reason, maybe due to code updates, the complete config as in the URL was gone??
so whilst SPAMASSASSIN was installed, the below steps were missing
so i have just re-followed the process, lets see if this nails SPAM!?

will wait and see if this stops it. BUT… a new check of virtualmin shows below:
"SpamAssassin and Procmail are installed and configured for use
SpamAssassin is configured to be run from the global Procmail configuration /etc/procmailrc, which is not needed as Virtualmin will set it up on a per-domain basis

** … your system is not ready for use by Virtualmin**"

so is there a new stup to follow ? and if it was correct from the getgo, why is it not stopping SPAM for failed DKIM ?

Is this a different issue? Please create a new post with the issue.

No, its the same issue, its the ‘and discarding’ part of the subject.

You starting to talk about incoming emails and post was about outgoing emails, so its a different issue.
P.S.
Ok, I see at bottom “also, i am not rejecting spam for some reason, even tough spamassassin installed and all config seems ok”

Best to keep post on single issue, not multiple issues.

virtualmin didn’t allow it to pass. virtualmin has nothing to do with your email system. virtualmin uses safe defaults for each web service, and it’s up to the system administrator to tweak/change those (if he/she wants to…).

anyway, it doesn’t get rejected, because invalid DKIM doesn’t trigger a very big spam score in spamassassin. so, adjust DKIM_INVALID value in some .cf file in spamassassin if you like, but that’s up to you…
just like you (in the OP), not all people know how to setup DKIM, SPF, DMARC (or even MX for that matter), correctly… so, if you want to block all invalid DKIM messages, you might also lose some false positives.

and you could also probably train spamassassin with those spam messages…

anyway, different “issue”,
just 2c.