Need help about DKIM concept & setup

Hi,
I have been using Virtualmin GPL for a while and I know my way around it but recently for one of my domain I had issue with email being marked spam. I though to give DKIM a try . I have few doubts actually.

  1. Global and per domain DKIM key : I am confused when we go to Virtualmin --> Email settings --> DomainKey Identified Mails and Enables it there. Should I give name of all domain hosted on server under “Additional Domains domains to Sign for” ?
    I have around 10 domains hosted in his server, then key generated there can be added to each domain DNS ?

  2. What part of key to add in external DNS ?
    I get following key :

     2020._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6kTyzcwypZ5r/"
     "1bmJ70e1jJ9ff1htYLtdnEn7Onwr93NXwoTuYP8wT+q7E/5yqVnV70ip+fM8OXLCsplBe4ndW33k5i5z"
     "Bhdvx4BlYTSQTD0LkSCNKAIvx3N4xbRIgKd3n7bvsMAyLNdI9qEwq+IuoRu1XZe545AI0AXLyPYCEuI2"
     "kohqYHMhfqVI/L87PS3X8L+3wlHU0PpsCFxbEPK4FKT7Wtbko8y4iIAZ+KhaR1y/Guz/nnxhLMGD9+j4"
     "SGTXKce5CPcrq7Ib2iF0Ave3RhfcopZihUvnSeFCxchqI45RkwTDPuxafakYySIdPPG4X8n3YGll3loq"
     "efFZwdzIwIDAQAB" )
    

Say I am using CloudFlare DNS, so I will add TEXT record with name “2020” as name and value must be :

    "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6kTyzcwypZ5r/"
	"1bmJ70e1jJ9ff1htYLtdnEn7Onwr93NXwoTuYP8wT+q7E/5yqVnV70ip+fM8OXLCsplBe4ndW33k5i5z"
	"Bhdvx4BlYTSQTD0LkSCNKAIvx3N4xbRIgKd3n7bvsMAyLNdI9qEwq+IuoRu1XZe545AI0AXLyPYCEuI2"
"kohqYHMhfqVI/L87PS3X8L+3wlHU0PpsCFxbEPK4FKT7Wtbko8y4iIAZ+KhaR1y/Guz/nnxhLMGD9+j4"

But problem is that DKIM is failing as per tools like this : https://dkimvalidator.com/ giving error that
The p= field must be base64 encoded

And pointers please.

In order for email sent by your server to get past spam filters, of say Gmail, it is necessary to configure SPF, reverse DNS and DKIM correctly, so if you are enabling the latter on your Virtualmin box that would be the correct remedy.

No. You are not required to manually add domains here that are already assigned to virtual servers and aliases that you have created in Virtualmin.

Yes and no: when you enabled DKIM under Virtualmin --> Email settings --> DomainKey Identified Mails, Virtualmin added the DKIM record to the DNS of each domain listed in the install of BIND running on your Virtualmin server. However @Saahib as you are manually managing on a third party DNS server the DNS records for the domain(s) served by Virtualmin, you must take the additional step of manually updating the third party DNS server with the DKIM record for each domain. Note that for those who use Virtualmin’s DNS server, which is the default option, this manual management of DKIM records is not necessary.

Using your example, in the third party DNS server that you use, create a subdomain 2020._domainkey and apply a text record
“v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6kTyzcwypZ5r/”
“1bmJ70e1jJ9ff1htYLtdnEn7Onwr93NXwoTuYP8wT+q7E/5yqVnV70ip+fM8OXLCsplBe4ndW33k5i5z”
“Bhdvx4BlYTSQTD0LkSCNKAIvx3N4xbRIgKd3n7bvsMAyLNdI9qEwq+IuoRu1XZe545AI0AXLyPYCEuI2”
“kohqYHMhfqVI/L87PS3X8L+3wlHU0PpsCFxbEPK4FKT7Wtbko8y4iIAZ+KhaR1y/Guz/nnxhLMGD9+j4”
“SGTXKce5CPcrq7Ib2iF0Ave3RhfcopZihUvnSeFCxchqI45RkwTDPuxafakYySIdPPG4X8n3YGll3loq”
“efFZwdzIwIDAQAB”

You could leave the quote characters be, since some third party DNS servers (such as AWS’ Route 53) require them while others (such as the excellent and free - sort of - DNS service by Rackspace) accepts the DKIM record, with quote characters or without, and internally reformat the long txt record to be RFC compliant.

If you apply the DKIM record to the DNS of the third party service correctly, as I have described above, your DKIM will pass and your email will get delivered to the inbox.

Thanks @calport for such descriptive reply.
Well, after making post here, I kept digging into it and got most of things / concept cleared by trial and error.

Just to clarify, had already configured proper SPF records, next was DKIM . Got it working later but it few other changes were also made to get mail going. Main issue in my case was that my “reply-to” header was causing main trouble, since I was using sending mail using a script, it was appending wrong info. I tried to fix script but ultimately settled with SMTP instead of php mail() function. So, with DKIM , SPF and proper headers, it looks fine for now.

However, I still have one doubt about Virtualmin and DKIM setup in it.
So, I can use same key for all domains on that server because Virtualmin will sign mail sent by each domain with that Global key , all I need need to update DNS for each domain with Public key given by virtualmin ?

What if I later add another domain to server, do I have to regenerate key?

Yes, that’s correct. You can use the same DKIM key for all domains hosted on that server / using that server to relay.

No, same DKIM key will work for any new domains / virtual servers you add to Virtualmin.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.