I am having a brain-twisting issue with the DKIM setup. Perhaps I cannot see the wood for the trees!
DomainKeys identified mail options
Signing of outgoing mail enabled? is set to YES
The DNS for the specific domain is set with:
2015._domainkey.example.com. IN TXT ( “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB”
“eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X”
“m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5”
“UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT”
“pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF”
“UASEolFUwIDAQAB” )
–
Which, as pasted below, is also shown in: “DNS records for additional domains” on the “DomainKeys identified mail options” page
Is there anything in the maillog/mail.log about it, when sending a message?
Can you post the headers of a message sent from your Virtualmin system? (i.e. send an email, and look at the headers when it arrives) That’ll tell us if signing is actually happening.
Received-SPF: none (domain of example.com does not designate permitted sender hosts)
Authentication-Results: mta1420.mail.bf1.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=neutral (no sig)
No, I mean a header for a successfully delivered email. That’s not the original headers from the message as it was sent out of your server, which is what I need to see to figure out if it’s actually signing things. You can send mail to your own server, even. It just needs to go through the outgoing mail queue so Postfix can sign it and such.
And, we still need to see the entries in the mail.log or maillog when you try to send an email.
Not sure what your DNS setup is but my DNS is not on my main server but is provided by my host, so although it looked like my DNS records were all set up properly in Virtualmin I actually hadn’t added the DNS text record for either DKIM or SPF to the real DNS server.
Once I added these records to my real DNS server DKIM and SPF started to work properly.
Although my DNS is local, your post made me look into that side of things and I noticed that the reverse DNS had not been correctly setup with the host.
This has now been rectified by the host and I have updated the hostname accordingly.
Whether this was affecting the DKIM/SPF issue remains to be seen.
I am awaiting propagation before I continue with any more tests.
So, that’s where the problem lies. Maybe try disabling and re-enabling DKIM in Virtualmin (find that setting in Email Messages->DomainKey Identified Mail->Signing of outgoing mail enabled?), and see if DKIM signature begins to appear. I can’t think of why it wouldn’t sign your messages, if the feature is enabled.
Hi Darren @dj586
Did you manage to get your outgoing email signed ?
Just going down the same route as you mxtoolbox says it is good, SPF is good - but my outgoing emails are not signed…
Kind Regards
Brad
One IMPORTANT factor to remember is that a policy record needs to be included for a domain. This is a text entry which tells a mail server how mail is signed by DKIM without it a DKIM signature will have issues.
Create a DNS txt record for your domain for the policy
Name: _domainkey.yoursite.tld
Message : o=-;
The above text tell the mail server that ALL messages are signed by DKIM and must be checked … this is the strictest setting and best used IF you are being spoofed
A more relaxed version which tells a server receiving mail that some are signed is
Message: o=~;
Adding the policy may help and you will find your mail signed with your DKIM signature.
Hi @CEEWorld
Thank you for your assistance - the main issue turned out to be a bug in my registrar DNS panel not properly removing txt records (after they were deleted) - I ended up with about 4 different yourselector_domainkey.yourdomain.tld records associated with my domain -
I switched my DNS to Cloudflare and had a green light in 5 minutes .
Hi there
In Virtualmin go to Email Settings > DomainKeys Identified Mail
The last section " DNS records for additional domains " has your cert
Step 1 create a new text record in Cloudflare use the cert name (for example 2019._domainkey) in the first field
Step 2 copy the rest of the cert starting from v=DKIM1 (do not include the “) paste that record in a text editor and make the whole record one line removing all spaces and all (”) that start and end each row .
Step 3 paste your cert without spaces in the record box (cloudflare) and add the record.
Step 4 wait 5 minutes and test
Hope this helps - if you get stuck paste your full record (before editing) here and I will try and help