Error opendkim no signing domain match for domain

SYSTEM INFORMATION
OS type and version AlmaLinux 9.5
Webmin version 2.202
Virtualmin version 7.30.3
Webserver version REQUIRED
Related packages SUGGESTED

Hi everyone, I have an error with opendkim, I don’t receive emails from some external domains, how can I overcome this problem?

/var/log/maillog-20241215:Dec 10 15:10:55 vmi2077506 opendkim[883130]: 6F77B2E628BF: maild7.bancodelpacifico.com.ec [45.180.125.69] not internal
/var/log/maillog-20241215:Dec 10 15:10:55 vmi2077506 opendkim[883130]: 6F77B2E628BF: no signing domain match for 'bancodelpacifico.com.ec'
/var/log/maillog-20241215:Dec 10 15:10:55 vmi2077506 opendkim[883130]: 6F77B2E628BF: no signing subdomain match for 'bancodelpacifico.com.ec'

I guess you’ve chosen to block unsigned email, and it is being blocked?

In a default Virtualmin configuration SpamAssassin would assign points to missing DKIM. I don’t think DKIM missing alone is enough to consider it spam, but if any other tests match or you’ve lowered the threshold, that would explain it.

So, find the email in the spam folder and check the SpamAssassin headers for details about why it was categorized as spam.

You can also search for more of that ID (6F77B2E628BF) in the log to see what happened to it. It’d generally show a couple more entries as it gets handed off to procmail-wrapper/procmail, and you’d then follow it in the procmail log.

How can I configure myself to receive emails that are not signed? Where should I enable this?

Unless you’ve changed it, the default configuration of SpamAssassin does not block on a failed DKIM test alone, there would need to be other tests that also failed.

You need to do what I suggested so you can see which tests failed and why the message was blocked. You can adjust SpamAssassin to be less sensitive to any test, but you should figure out what’s actually happening before you try to adjust things.

DomainKeys Identified Mail settings have not been changed and are the default. This is my server configuration.

Oh, actually, that is configured to reject incoming mail with invalid DKIM signature. I didn’t know we offered a hard reject or that it was enabled by default. I’m surprised, actually, historically all of our rejection decisions are points-based in SpamAssassin instead of being a hard rejection. I guess this is more efficient, but it will reject anyone without valid DKIM.

You can turn that off. (Set “Reject incoming mail with invalid DKIM signature?” to “No”)

1 Like

I would leave it on. If the dkim signature is invalid then the email is dodgy, this is the whole point of the technology.

I will make sure this is turned on for my server.

If there is no dkim signature then this setting will have no effect.

So what should I do to receive those emails?

Contact them and see if they can fix their dkim

You can still test for DKIM in SpamAssassin. As I explained above.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.