I am having a brain-twisting issue with the DKIM setup. Perhaps I cannot see the wood for the trees!
DomainKeys identified mail options
Signing of outgoing mail enabled? is set to YES
The DNS for the specific domain is set with:
2015._domainkey.example.com. IN TXT ( “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB”
Which, as pasted below, is also shown in: “DNS records for additional domains” on the “DomainKeys identified mail options” page
2015._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB"
However, Yahoo gives:
Authentication-Results: xxxx.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=neutral (no sig)
gives me “DKIM-Result: none (no signature)”
it is driving me nuts
any guidance would be much appreciated
Would really appreciate some help with this.
I tried disabling and re-enabling the DKIM signing - but emails still not getting signed
Is there anything in the maillog/mail.log about it, when sending a message?
Can you post the headers of a message sent from your Virtualmin system? (i.e. send an email, and look at the headers when it arrives) That’ll tell us if signing is actually happening.
Thanks for the response.
Here is an excerpt from a Yahoo header:
Received-SPF: none (domain of example.com does not designate permitted sender hosts)
Authentication-Results: mta1420.mail.bf1.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=neutral (no sig)
No, I mean a header for a successfully delivered email. That’s not the original headers from the message as it was sent out of your server, which is what I need to see to figure out if it’s actually signing things. You can send mail to your own server, even. It just needs to go through the outgoing mail queue so Postfix can sign it and such.
And, we still need to see the entries in the mail.log or maillog when you try to send an email.
Below is the result of a received email, viewing headers in Thunderbird
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
X-Spam-Status: No, score=3.4 required=5.0 tests=HTML_MESSAGE,
Received: by my.hostname (Postfix, from userid 48)
id 0A1861661A30; Sun, 20 Aug 2017 00:53:35 +0000 (UTC)
Subject: DKIM 01:55
Content-type: text/html; UTF-8
Date: Sun, 20 Aug 2017 00:53:35 +0000 (UTC)
is this what you required?
the maillog seems to only contain some spam
Not sure what your DNS setup is but my DNS is not on my main server but is provided by my host, so although it looked like my DNS records were all set up properly in Virtualmin I actually hadn’t added the DNS text record for either DKIM or SPF to the real DNS server.
Once I added these records to my real DNS server DKIM and SPF started to work properly.
Thanks for that.
Although my DNS is local, your post made me look into that side of things and I noticed that the reverse DNS had not been correctly setup with the host.
This has now been rectified by the host and I have updated the hostname accordingly.
Whether this was affecting the DKIM/SPF issue remains to be seen.
I am awaiting propagation before I continue with any more tests.
When I run a DKIM lookup on https://mxtoolbox.com/
I see the correct response:
v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlL8AO2Twj3Y4W4/0Cyq9K8hYnOIC6qBObtob7taz/1eCqPt/rVdYjT0V3HPRa0SAHU7MV8gzyCcomdZ5il8A3Pw+ArJQZI8aNO7+ALihKyQIy7KypZ0bw+1LBMsUoqtPZXTAN8LW9dCF9aYynAIQruQMvwn9x5PwVjnUwBeoHdD+tiLLIzMhip87WpwIg1HbC8wCa5ydTUKkcrU3J7qq16MmXwue4bGcvk1ABFl+gbj5x8e5VJgdWXIljh5Iv+MczfAUweQI2eFaxeVlNs0Up9j6fZMOlHylUzOl726BUElGTKZtA2S/stRL5qoaK/K7D7JPO8EVqbQnX6SJ5UkntwIDAQAB
However, I still get no SPF or DKIM signing from http://appmaildev.com/
Sender-IP:xx.xx.xx.xx (correct IP for reverse DNS)
Sender-Domain:myserver.com (correct hostname/domain for reverse DNS)
Query TEXT record from DNS server for: myserver.com
Exception: No records found for given DNS query
DKIM-Result: none (no signature)
So I am presuming the problem lies in the emails not being signed by POSTFIX as they are being sent.
This is a production server, what would be the best (safest) way to capture the headers being added by Postfix?
I changed the setting: “What domain to use in outbound mail” in Postfix to use DOMAINNAME instead of HOSTNAME
I am now getting a PASS for SPF - but DKIM still failing
Thanks in advance for any further guidance
I don’t see a DKIM signature on that message. That looks like the following:
DKIM-Filter: OpenDKIM Filter v2.11.0 new.cloud.virtualmin.com 8BE391FA8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=new.cloud.virtualmin.com; s=default; t=1503252001;
So, that’s where the problem lies. Maybe try disabling and re-enabling DKIM in Virtualmin (find that setting in Email Messages->DomainKey Identified Mail->Signing of outgoing mail enabled?), and see if DKIM signature begins to appear. I can’t think of why it wouldn’t sign your messages, if the feature is enabled.
Hi Darren @dj586
Did you manage to get your outgoing email signed ?
Just going down the same route as you mxtoolbox says it is good, SPF is good - but my outgoing emails are not signed…
One IMPORTANT factor to remember is that a policy record needs to be included for a domain. This is a text entry which tells a mail server how mail is signed by DKIM without it a DKIM signature will have issues.
Create a DNS txt record for your domain for the policy
Message : o=-;
The above text tell the mail server that ALL messages are signed by DKIM and must be checked … this is the strictest setting and best used IF you are being spoofed
A more relaxed version which tells a server receiving mail that some are signed is
Adding the policy may help and you will find your mail signed with your DKIM signature.
Thank you for your reply.
May I ask for clarification on what you have suggested
- Firstly am I including the selector in - like this myselector_domainkey when creating the txt record?
- Secondly for the relaxed method you mentioned am I just adding " o=~; " ?
For the DKIM record you put your selector in front of _domainkey.yourdomain.td so it would look like this "yourselector_domainkey.yourdomain.tld
For the policy record you add NO selector is is just _domainkey.yourdomain.tld
Yes just add the o=~;
Thank you for your assistance - the main issue turned out to be a bug in my registrar DNS panel not properly removing txt records (after they were deleted) - I ended up with about 4 different yourselector_domainkey.yourdomain.tld records associated with my domain -
I switched my DNS to Cloudflare and had a green light in 5 minutes .
I’m having the same problem as you. But I use Cloudflare, can you tell me how you manage to sign the emails?
In Virtualmin go to Email Settings > DomainKeys Identified Mail
The last section " DNS records for additional domains " has your cert
Step 1 create a new text record in Cloudflare use the cert name (for example 2019._domainkey) in the first field
Step 2 copy the rest of the cert starting from v=DKIM1 (do not include the “) paste that record in a text editor and make the whole record one line removing all spaces and all (”) that start and end each row .
Step 3 paste your cert without spaces in the record box (cloudflare) and add the record.
Step 4 wait 5 minutes and test
Hope this helps - if you get stuck paste your full record (before editing) here and I will try and help
Thanks, that’s a perfect explanation.
But I have it that way but I don’t get my email to send with the sign.
Any idea what I can be missing?
Do you have to add the domain manual in the field “Additional domains to sign for”?
Hi Are you using Debian or Ubuntu?
Ubuntu 18.04.2 ; Latest LTS