DKIM

Virtualmin
1

Hi,

I am having a brain-twisting issue with the DKIM setup. Perhaps I cannot see the wood for the trees!

DomainKeys identified mail options

Signing of outgoing mail enabled? is set to YES

The DNS for the specific domain is set with:

2015._domainkey.example.com. IN TXT ( “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB”
“eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X”
“m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5”
“UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT”
“pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF”
“UASEolFUwIDAQAB” )


Which, as pasted below, is also shown in: “DNS records for additional domains” on the “DomainKeys identified mail options” page

2015._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB" "eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X" "m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5" "UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT" "pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF" "UASEolFUwIDAQAB" )

However, Yahoo gives:

Authentication-Results: xxxx.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=neutral (no sig)

and http://appmaildev.com

gives me “DKIM-Result: none (no signature)”

it is driving me nuts

any guidance would be much appreciated

2

Hi

Would really appreciate some help with this.

I tried disabling and re-enabling the DKIM signing - but emails still not getting signed

cheers

3

Is there anything in the maillog/mail.log about it, when sending a message?

Can you post the headers of a message sent from your Virtualmin system? (i.e. send an email, and look at the headers when it arrives) That’ll tell us if signing is actually happening.

4

Hi Joe

Thanks for the response.

Here is an excerpt from a Yahoo header:

Received-SPF: none (domain of example.com does not designate permitted sender hosts) Authentication-Results: mta1420.mail.bf1.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=neutral (no sig)

Thanks

5

No, I mean a header for a successfully delivered email. That’s not the original headers from the message as it was sent out of your server, which is what I need to see to figure out if it’s actually signing things. You can send mail to your own server, even. It just needs to go through the outgoing mail queue so Postfix can sign it and such.

And, we still need to see the entries in the mail.log or maillog when you try to send an email.

6

Hi Joe

Below is the result of a received email, viewing headers in Thunderbird

Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on my.hostname X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=5.0 tests=HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,NO_RELAYS,SUBJ_ALL_CAPS autolearn=no version=3.3.1 X-Original-To: testadd@example.com Delivered-To: testadd.example.com@my.hostname Received: by my.hostname (Postfix, from userid 48) id 0A1861661A30; Sun, 20 Aug 2017 00:53:35 +0000 (UTC) To: testadd@example.com Subject: DKIM 01:55 X-PHP-Originating-Script: 0:test-email.php MIME-Version: 1.0 Content-type: text/html; UTF-8 From: TEST Message-Id: <20170820005336.0A1861661A30@my.hostname> Date: Sun, 20 Aug 2017 00:53:35 +0000 (UTC)

is this what you required?

the maillog seems to only contain some spam

7

Not sure what your DNS setup is but my DNS is not on my main server but is provided by my host, so although it looked like my DNS records were all set up properly in Virtualmin I actually hadn’t added the DNS text record for either DKIM or SPF to the real DNS server.
Once I added these records to my real DNS server DKIM and SPF started to work properly.

Kim

8

Hi Kim,

Thanks for that.

Although my DNS is local, your post made me look into that side of things and I noticed that the reverse DNS had not been correctly setup with the host.

This has now been rectified by the host and I have updated the hostname accordingly.

Whether this was affecting the DKIM/SPF issue remains to be seen.

I am awaiting propagation before I continue with any more tests.

Regards

Darren

9

UPDATE

When I run a DKIM lookup on https://mxtoolbox.com/

I see the correct response:

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlL8AO2Twj3Y4W4/0Cyq9K8hYnOIC6qBObtob7taz/1eCqPt/rVdYjT0V3HPRa0SAHU7MV8gzyCcomdZ5il8A3Pw+ArJQZI8aNO7+ALihKyQIy7KypZ0bw+1LBMsUoqtPZXTAN8LW9dCF9aYynAIQruQMvwn9x5PwVjnUwBeoHdD+tiLLIzMhip87WpwIg1HbC8wCa5ydTUKkcrU3J7qq16MmXwue4bGcvk1ABFl+gbj5x8e5VJgdWXIljh5Iv+MczfAUweQI2eFaxeVlNs0Up9j6fZMOlHylUzOl726BUElGTKZtA2S/stRL5qoaK/K7D7JPO8EVqbQnX6SJ5UkntwIDAQAB

ETC

However, I still get no SPF or DKIM signing from http://appmaildev.com/

SPF: None

Sender-IP:xx.xx.xx.xx (correct IP for reverse DNS)

Sender-Domain:myserver.com (correct hostname/domain for reverse DNS)

Query TEXT record from DNS server for: myserver.com

Exception: No records found for given DNS query

DKIM: None

DKIM-Result: none (no signature)

So I am presuming the problem lies in the emails not being signed by POSTFIX as they are being sent.

This is a production server, what would be the best (safest) way to capture the headers being added by Postfix?

FURTHER UPDATE:

I changed the setting: “What domain to use in outbound mail” in Postfix to use DOMAINNAME instead of HOSTNAME

I am now getting a PASS for SPF - but DKIM still failing

Thanks in advance for any further guidance

Darren

10

I don’t see a DKIM signature on that message. That looks like the following:

DKIM-Filter: OpenDKIM Filter v2.11.0 new.cloud.virtualmin.com 8BE391FA8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=new.cloud.virtualmin.com; s=default; t=1503252001; bh=K2ZYWOI8FllBCThejtza427laAAdn5AyEETo//8rWCU=; h=From:To:Subject:Date:From; b=2z617WOkztcwZ93+7KmxfJ0o7siVJCMFduYtnqhRpcuoFQqIcbs+irUpVaTP5z8x/ VWwMsgyiZCprBUBPWIgq1QIDm1brdFEaQaFNnGBf0Gm79EKdchFAqeCS8s3iy8Apm5 6id172enC7j1kG0f1TPrkp6x8TFqF+DyHrw0j7bvC5Z7i0sqiJlXJw0sXB+XfwPjtE 49VcHQgS7xznGXG6oXTKnWC2Nk+fIoihqd0ArlEO+BbZObJN5OKVjlLvIqo/U4twMh ItOJUWMx+UbWAjYprv1LUlY0i4PuiqrRFgt5B3iUAqzobtWYEcOsX9N+8NwchT3PHY SnRiUWKRWaXKw==

So, that’s where the problem lies. Maybe try disabling and re-enabling DKIM in Virtualmin (find that setting in Email Messages->DomainKey Identified Mail->Signing of outgoing mail enabled?), and see if DKIM signature begins to appear. I can’t think of why it wouldn’t sign your messages, if the feature is enabled.

11

Hi Darren @dj586
Did you manage to get your outgoing email signed ?
Just going down the same route as you mxtoolbox says it is good, SPF is good - but my outgoing emails are not signed…
Kind Regards
Brad

12

One IMPORTANT factor to remember is that a policy record needs to be included for a domain. This is a text entry which tells a mail server how mail is signed by DKIM without it a DKIM signature will have issues.

Create a DNS txt record for your domain for the policy

Name: _domainkey.yoursite.tld

Message : o=-;

The above text tell the mail server that ALL messages are signed by DKIM and must be checked … this is the strictest setting and best used IF you are being spoofed

A more relaxed version which tells a server receiving mail that some are signed is

Message: o=~;

Adding the policy may help and you will find your mail signed with your DKIM signature.

13

Hi @CEEWorld

Thank you for your reply.
May I ask for clarification on what you have suggested

  • Firstly am I including the selector in - like this myselector_domainkey when creating the txt record?
  • Secondly for the relaxed method you mentioned am I just adding " o=~; " ?

Kind Regards
Brad
14

For the DKIM record you put your selector in front of _domainkey.yourdomain.td so it would look like this "yourselector_domainkey.yourdomain.tld

For the policy record you add NO selector is is just _domainkey.yourdomain.tld

Yes just add the o=~;

15

Hi @CEEWorld
Thank you for your assistance - the main issue turned out to be a bug in my registrar DNS panel not properly removing txt records (after they were deleted) - I ended up with about 4 different yourselector_domainkey.yourdomain.tld records associated with my domain -

I switched my DNS to Cloudflare and had a green light in 5 minutes .

ATB
Brad

16

Hi there,

I’m having the same problem as you. But I use Cloudflare, can you tell me how you manage to sign the emails?

Thanks.

17

Hi there
In Virtualmin go to Email Settings > DomainKeys Identified Mail

The last section " DNS records for additional domains " has your cert

Step 1 create a new text record in Cloudflare use the cert name (for example 2019._domainkey) in the first field
Step 2 copy the rest of the cert starting from v=DKIM1 (do not include the “) paste that record in a text editor and make the whole record one line removing all spaces and all (”) that start and end each row .
Step 3 paste your cert without spaces in the record box (cloudflare) and add the record.
Step 4 wait 5 minutes and test

Hope this helps - if you get stuck paste your full record (before editing) here and I will try and help

Kind Regards
Brad

18

Thanks, that’s a perfect explanation.

But I have it that way but I don’t get my email to send with the sign.

Any idea what I can be missing?
Do you have to add the domain manual in the field “Additional domains to sign for”?

19

Hi Are you using Debian or Ubuntu?
Kind Regards
Brad

20

Ubuntu 18.04.2 ; Latest LTS