DKIM Public Key Not in Email Header

I've set up DKIM using these instructions:

http://www.virtualmin.com/documentation/email/dkim

...and everything seems fine:

Finding virtual servers to enable DKIM for .. .. found 2 servers

Extracting public key from private key in /etc/dkim.key .. .. done

Setting domain and selector in DKIM filter configuration .. .. done

Adding DKIM records to DNS domain xxx1.com .. .. records already exist

Adding DKIM records to DNS domain xxx2.com .. .. records already exist

Enabling DKIM filter at boot time .. .. done

Starting DKIM filter .. .. done

Configuring mail server to use DKIM filter .. .. done

Sent email from domain xxx1.com and there is no DKIM public key in the header.

Any suggestions?

Status: 
Active

Comments

Was the email from xxx1.com relayed through your Virtualmin system? DKIM signing will not work if it was sent via your ISP's mail server..

Also, the public key doesn't go in the header - it is in the DNS records for the domain. The header should contain other DKIM-related fields though.

Ok sorry I've probably my terminology a bit mixed up here but I am relaying mail through the Virtualmin system.

After following the direction in my last post I was using on online diagnostic tool to check by sending and email to: check-auth@verifier.port25.com

It returned:

Summary of Results

SPF check: pass DomainKeys check: neutral DKIM check: permerror Sender-ID check: pass SpamAssassin check: ham

DomainKeys check details:

Result: neutral (message not signed) ID(s) verified: header.From=xxx@xxx1.com DNS record(s):

DKIM check details:

Result: permerror (key "2011._domainkey.xxx1.com" doesn't exist)

I also sent email to gmail and saw this in the header: dkim=neutral (bad format) header.i=@ixxx1.com

I checked the DNS record in virtualmin and the key is there. Sorry for confusion but I'm not sure what I'm doing here to make it not work.

Looks like other mail servers aren't seeing your DKIM record in DNS.

I can take a look myself, but I'd need to know your actual domain name ..

Yes the mail was relayed through virtualmin.

I've been using the online diagnostic tool ESPC by sending an email to "check-auth@verifier.port25.com" to check and it email me back these results:

Summary of Results

SPF check: pass DomainKeys check: neutral DKIM check: permerror Sender-ID check: pass SpamAssassin check: ham

...and

DomainKeys check details:

Result: neutral (message not signed) ID(s) verified: header.From=xxx1@xxx1.com DNS record(s):

DKIM check details:

Result: permerror (key "2011._domainkey.xxx1.com" doesn't exist)

I also send email to gmail and see this in the header:

dkim=neutral (bad format) header.i=@ixxx1.com

I checked the DNS record in virtualmin for that domain and there is a key in there.

you got my domain name... icms1.com

let me know if theres anything else you need!

Thanks - I see the issue, which is that your domain's DNS is being hosted by domaincontrol.com and not your Virtualmin system. You will need to update the nameservers with your registrar to use your system as the NS for the domain.

Awesome thanks!

I've never used Virtualmin NS's how can i see what they are called. Is that in BIND DNS Server?

You can usually get away with just having 2 IPs in total.

"Thanks - I see the issue, which is that your domain's DNS is being hosted by domaincontrol.com and not your Virtualmin system. You will need to update the nameservers with your registrar to use your system as the NS for the domain."

I've never really messed with NS's so sorry if this sounds dumb. What i don't understand about what you've said here is that my understanding, in a perfect world you should have 2 NS's and your web/mail server all in 3 different locations. So having them all on the same system how is this going to be good?

Is it because DKIM keys reside on the NS's or something and with domaincontrol.com I don't have access to them?

I have another server already in another location with virtualmin on it so I'm thinking I should use this

Joe's picture
Submitted by Joe on Tue, 05/24/2011 - 20:47 Pro Licensee

You can host your DNS elsewhere, but you'll have to managed the DKIM records yourself, if you do that. Obviously, if Virtualmin doesn't control your DNS, it can't manage anything that relies on DNS records.

And, yes, you can use your other Virtualmin server as a slave DNS. There's docs for setting that up here: http://www.virtualmin.com/documentation/dns/slave-configuration

I found I much simpler solution that worked for me for now. I just added the DKIM key that virtualmin generated to the godaddy dns. So now I have a DKIM pass! I find all this DNS confusing so I'm going to pass on it for now. I'll just stick with simpler solutions to get the mail server working :)

The next problem I have i getting a pass with Domain Keys

DomainKeys check details:

Result: neutral (message not signed) ID(s) verified: header.From=xxx1@xxx1.com DNS record(s):

How does virtualmin handle domain keys?

Joe's picture
Submitted by Joe on Wed, 05/25/2011 - 13:38 Pro Licensee

It doesn't. DKIM is a newer variant of DomainKeys. DomainKeys is pretty much deprecated, though still used by some providers. Use DKIM. Don't worry about DomainKeys, as they will eventually go away completely.

Ok but I thought some mail services are still using it. I tested with these results to gmail, hotmail and yahoo. Messages are still going to junk/spam

==========================================================

Summary of Results

SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham

Any other ideas?

Thanks for your patients!

Those results look pretty good to me .. it looks like everything passes except DomainKeys.

Joe's picture
Submitted by Joe on Wed, 05/25/2011 - 14:33 Pro Licensee

I tested with these results to gmail, hotmail and yahoo.

None of these provides blocks on DKIM or DomainKeys. i.e. DKIM and DomainKeys was and is not the cause of your mail ending up in spam.

You probably have DNS configuration problems. That's the cause of probably 90% of email delivery problems.

Does your IP reverse-resolve (do you have a PTR record for your IPs, or does your hosting provider provide PTR records for your IPs)? That'd be the most likely culprit.

I started getting hotmail and yahoo going through sporadically, a bit hit and miss. The PTR and rDNS checked out ok in MX Tools.

But my SPF record looked like this... v=spf1 a mx ptr ~all

someone suggested to change it to this... v=spf1 ip4:190.120.232.50 ?all

I got my first email go into gmail inbox. They are all sporadic now. Is that the best I'm going to get?

It is hard to say more without knowing why gmail is treating your email as spam ..

Perhaps you could try emailing me at jcameron@webmin.com , so I can see what spam classification is being done?

sure, I've sent you the emails, thank you.

I noticed in the gmail header its checking for Domain Key and DKIM.

But what strange is "test mode".... dkim=pass (test mode) header.i=@icms1.com

perhaps I have to include Domain Key for gmail???

I got both your emails .. and neither were classified as spam or close to spam by my mail server.

So I'm not sure why gmail would be considering you a spammer ..

I found this info on google for bulk sender...

http://mail.google.com/support/bin/answer.py?answer=17205#Complete

Its basically troubleshooting questionnaire. I answered all the questions appropriately and got to a contact for to get them to investigate. Also I read somewhere in googles docs that if you send emails that don't comply then it will damage your reputation temporarily. So it might be ok in the end. It would be nice to find out if my reputation is in a repairable state before I send emails for real but I don't know how I'm going to do that because gmail won't send a report.

Joe's picture
Submitted by Joe on Wed, 05/25/2011 - 20:48 Pro Licensee

Oh, if you've sent large mail batches, if a handful of your users marked mail from your server as spam, you could end up classified as a spam sender that way. The large mail providers are pretty unforgiving when their users report spam.

It's hard to say without knowing more about why they're blocking you.

no I've sent 1,2 or 3 messages at a time, all to my own email accounts an not marked any of them either way.