DKIM signature invalid for some domains, not all

Hi there,

I have enabled DKIM signing and all of my virtual servers share the same domain key. They all have published DNS records that are found and valid, however when testing for DKIM signature validation, all of my domains but one fail. I’ve tried toggling the option to sign emails and I’ve regenerated keys (same one though). What else can I do to troubleshoot this?

Below are both valid and invalid email test results from: http://www.appmaildev.com/en/dkim/ (I’ve used other tests to confirm results as well). I tried attaching, but I received errors.

My system:
Ubuntu 14.04.1 LTS
Virtualmin 4.09 GPL
Webmin 1.690
Default server setup (postfix/apache/etc)

====
RESULTS FROM DOMAIN THAT PASSED DKIM SIGNATURE VALIDATION

This email is an automatic response from AdminSystem DKIM verifier service (1.0.0.5).
The service allows email senders to perform a simple check of SPF, DKIM and DomainKeys.
It is provided free of charge, in the hope that it is useful to the email community.

We welcome any feedback you may have at support@emailarchitect.net.
Thank you for using the service.
AdminSystem Software Limited

============================================================
SPF result: Pass

Domain: wearecuriouser.com
IP: 23.239.15.19

SPF Record: wearecuriouser.com
IN TXT = “v=spf1 a mx a:wearecuriouser.com ip4:23.239.15.19 ip6:2600:3c03::f03c:91ff:fe50:8e0 ?all”

—SPF Trace Log—
Start to check SPF record
Sender IP:23.239.15.19
Sender Domain:wearecuriouser.com

Parse Sender-IP 23.239.15.19
Query TEXT record from DNS server for: wearecuriouser.com
[TXT]: v=spf1 a mx a:wearecuriouser.com ip4:23.239.15.19 ip6:2600:3c03::f03c:91ff:fe50:8e0 ?all
Parsing SPF record: v=spf1 a mx a:wearecuriouser.com ip4:23.239.15.19 ip6:2600:3c03::f03c:91ff:fe50:8e0 ?all

Mechanisms: v=spf1

Mechanisms: a
Testing mechanism a
Query A record from DNS server for: wearecuriouser.com
[A]: 23.239.15.19
Testing CIDR: source=23.239.15.19; 23.239.15.19/128
a hit, Qualifier: +

============================================================
DomainKey result: none (no signature)

============================================================
DKIM result: pass

Signed by: wearecuriouser@wearecuriouser.com
Expected Body Hash: g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=

PublicKey: curiouser._domainkey.wearecuriouser.com
IN TXT = “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApFcZ7Dy6yC4tfzFBunpBJJXWuMbi+SwYIzVONWtOvYzO///AdjqwtUL5D873G3Jxg9yaAo4ea8FU8jYnu8DY6PBcfmjhhk9eN5p5V3m/6hZnnw6sjM0FBALLx/2JAVi/JlVSDSIXMmH017HswmAAliMUSMY9p5kNTvQn/yHsMjp3HFOZNyVLoJ9G77xzVrwW0J6EaVfx0GMx0clSf991JwxwEcGZHS8Dy9vBRqCzOZVj8c4Ulqb0HoTSHbvdJGXzbDThQSQ8F4UuGIXo4B9gkYe5YFgBpduvXH6V2sdvtEznXOWhUTOTMAuBY/G0QLqBXOB/OMBuuYoJwhwqfLCrOQIDAQAB;”

—Original Message Header—
x-sender: wearecuriouser@wearecuriouser.com
x-receiver: AAAA3gcIFhMA@appmaildev.com
Received: from linode-01.curiousercreative.com ([23.239.15.19]) by mail.appmaildev.com with Microsoft SMTPSVC(7.5.7600.16385);
Fri, 22 Aug 2014 19:29:46 -0400
Received: from [10.0.1.11] (ool-18bfc033.dyn.optonline.net [24.191.192.51])
(Authenticated sender: wearecuriouser)
by linode-01.curiousercreative.com (Postfix) with ESMTPSA id 37D46B2339
for AAAA3gcIFhMA@appmaildev.com; Fri, 22 Aug 2014 19:28:19 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wearecuriouser.com;
s=curiouser; t=1408750099;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=From:Subject:Date:To:From;
b=gW4NawgOeBUgdJNzs0liPQl48ETElXrzsowBqNAUEBzHpY5XHu/V2aXrZfMBYI+n7
RGpdv8SJP2g13Sn93hNgxeJzodshEPR3lNek1qBzPBVmcFUvvoULrpwKHD1q5l+eWW
AC6p15okphBXOQ7kvejHMmP4CK7j9hGeh5Gm77QIGOfzwM2JFgp1kf4toiH4np4vaH
pQQVn8Srs9TqHZVohGIEPu/IENLkNyKReKihavrYA4U8VbJAWUw3J2Y69DAwdMHnXN
hRj4weDL1AGR5NAhu/R5avKzc7PMFPGqP4xKzswkVhXYFoL+qx1VAxZKBP44ZJE7lb
xvX2IfMS5ioOw==
From: Winston Hoy wearecuriouser@wearecuriouser.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: test
Message-Id: 684D5B15-40F9-4609-902B-E79015C192CD@wearecuriouser.com
Date: Fri, 22 Aug 2014 19:28:20 -0400
To: AAAA3gcIFhMA@appmaildev.com
Mime-Version: 1.0 (Mac OS X Mail 7.3 (1878.6))
X-Mailer: Apple Mail (2.1878.6)
Return-Path: wearecuriouser@wearecuriouser.com
X-OriginalArrivalTime: 22 Aug 2014 23:29:46.0250 (UTC) FILETIME=[F587F6A0:01CFBE60]

====
RESULTS FROM DOMAIN THAT FAILED DKIM SIGNATURE VALIDATION

This email is an automatic response from AdminSystem DKIM verifier service (1.0.0.5).
The service allows email senders to perform a simple check of SPF, DKIM and DomainKeys.
It is provided free of charge, in the hope that it is useful to the email community.

We welcome any feedback you may have at support@emailarchitect.net.
Thank you for using the service.
AdminSystem Software Limited

============================================================
SPF result: Pass

Domain: curiousercreative.com
IP: 23.239.15.19

SPF Record: curiousercreative.com
IN TXT = “v=spf1 a mx mx:curiousercreative.com mx:iscuriouser.com include:aspmx.googlemail.com include:_spf.freshbooks.com ip4:23.239.15.19 ip6:2600:3c03::f03c:91ff:fe50:8e0 -all”

—SPF Trace Log—
Start to check SPF record
Sender IP:23.239.15.19
Sender Domain:curiousercreative.com

Parse Sender-IP 23.239.15.19
Query TEXT record from DNS server for: curiousercreative.com
[TXT]: v=spf1 a mx mx:curiousercreative.com mx:iscuriouser.com include:aspmx.googlemail.com include:_spf.freshbooks.com ip4:23.239.15.19 ip6:2600:3c03::f03c:91ff:fe50:8e0 -all
Parsing SPF record: v=spf1 a mx mx:curiousercreative.com mx:iscuriouser.com include:aspmx.googlemail.com include:_spf.freshbooks.com ip4:23.239.15.19 ip6:2600:3c03::f03c:91ff:fe50:8e0 -all

Mechanisms: v=spf1

Mechanisms: a
Testing mechanism a
Query A record from DNS server for: curiousercreative.com
[A]: 23.239.15.19
Testing CIDR: source=23.239.15.19; 23.239.15.19/128
a hit, Qualifier: +

============================================================
DomainKey result: none (no signature)

============================================================
DKIM result: fail (bad signature)

Signed by: winston@curiousercreative.com
Expected Body Hash: GDB8OF7yCaLHWwAnfAMSi0XsrLCYyFkcaVRFIF9twWw=

PublicKey: curiouser._domainkey.curiousercreative.com
IN TXT = “v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDB7DQ1afMAliUzB26PcEUoFbdmh9J8ZCPzCHobPHJkUaYQ8kL345UkD6UN78ewcGpOtUX9+ZWFT419CFbZRUDg98RVCq3M6TIlot8gfC2kI2IZ4Cc4iV61OVlBkEC4NbYUiybWXxqjduq2PQuqqFH/e6V/NO4awPGJxQBYxOxLtQIDAQAB;”

—Original Message Header—
x-sender: winston@curiousercreative.com
x-receiver: AAAA3gcIFhIA@appmaildev.com
Received: from linode-01.curiousercreative.com ([23.239.15.19]) by mail.appmaildev.com with Microsoft SMTPSVC(7.5.7600.16385);
Fri, 22 Aug 2014 18:11:41 -0400
Received: from [10.0.1.2] (ool-18bfc033.dyn.optonline.net [24.191.192.51])
(Authenticated sender: winston.curiouser)
by linode-01.curiousercreative.com (Postfix) with ESMTPSA id BACA6B217A
for AAAA3gcIFhIA@appmaildev.com; Fri, 22 Aug 2014 18:10:14 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=curiousercreative.com;
s=curiouser; t=1408745414;
bh=GDB8OF7yCaLHWwAnfAMSi0XsrLCYyFkcaVRFIF9twWw=;
h=From:Subject:Date:To:From;
b=RTzz91QHjj0BdTavh/Sbx3lzVCfl1lkWySERQxiOMpI2FgV035dEleB7L8bTrsm32
7O6QXW1+4Qo9vDBydZxhtGdI9DV1Ss6UMeu8AE4YMvTundUSuPca75e907LpAy9Wl8
Up0cKNPOlgj8n7dWi3fSL7s4JWmDryoiON+jL/HJsevorYqN7ERF61kAEqmosPsVrR
iPIpRj/IQdArAFJEfg+qyXyMiredbVYCxc0F4zj1XWqsiAU2zDY2qN/mxvGkcmeOlo
IaGqAfprdXPAJQXxEZcA7gBS0qpu/Gd5bMFUCUce7oOqdZj2h+P2Q1H6A1n2KS3q6z
mKpLZH5wjuUJQ==
From: Winston Hoy winston@curiousercreative.com
Content-Type: multipart/alternative; boundary=“Apple-Mail=_403A19F3-D998-4D6F-8955-3964354D743A”
Subject: test
Message-Id: 981EE9E5-587F-4E81-8CE4-3E5877176254@curiousercreative.com
Date: Fri, 22 Aug 2014 18:10:06 -0400
To: AAAA3gcIFhIA@appmaildev.com
Mime-Version: 1.0 (Mac OS X Mail 7.3 (1878.6))
X-Mailer: Apple Mail (2.1878.6)
Return-Path: winston@curiousercreative.com
X-OriginalArrivalTime: 22 Aug 2014 22:11:41.0703 (UTC) FILETIME=[0D52D170:01CFBE56]

As always, it just takes another set of eyes looking at a problem for it to solve itself. While looking into it with andreychek today, the domain that previously failed began passing DKIM signature validation. The DNS records haven’t changed, so perhaps in Virtualmin or some other package updates since the original posting the signing started working. In any case, glad it’s working!