Submitted by gl3ny on Tue, 05/24/2011 - 16:16
I've set up DKIM using these instructions:
http://www.virtualmin.com/documentation/email/dkim
...and everything seems fine:
Finding virtual servers to enable DKIM for .. .. found 2 servers
Extracting public key from private key in /etc/dkim.key .. .. done
Setting domain and selector in DKIM filter configuration .. .. done
Adding DKIM records to DNS domain xxx1.com .. .. records already exist
Adding DKIM records to DNS domain xxx2.com .. .. records already exist
Enabling DKIM filter at boot time .. .. done
Starting DKIM filter .. .. done
Configuring mail server to use DKIM filter .. .. done
Sent email from domain xxx1.com and there is no DKIM public key in the header.
Any suggestions?
Status:
Active
Comments
Submitted by JamieCameron on Tue, 05/24/2011 - 16:48 Comment #1
Was the email from xxx1.com relayed through your Virtualmin system? DKIM signing will not work if it was sent via your ISP's mail server..
Also, the public key doesn't go in the header - it is in the DNS records for the domain. The header should contain other DKIM-related fields though.
Submitted by gl3ny on Tue, 05/24/2011 - 17:15 Comment #2
Ok sorry I've probably my terminology a bit mixed up here but I am relaying mail through the Virtualmin system.
After following the direction in my last post I was using on online diagnostic tool to check by sending and email to: check-auth@verifier.port25.com
It returned:
Summary of ResultsSPF check: pass DomainKeys check: neutral DKIM check: permerror Sender-ID check: pass SpamAssassin check: ham
DomainKeys check details:
Result: neutral (message not signed) ID(s) verified: header.From=xxx@xxx1.com DNS record(s):
DKIM check details:
Result: permerror (key "2011._domainkey.xxx1.com" doesn't exist)
I also sent email to gmail and saw this in the header: dkim=neutral (bad format) header.i=@ixxx1.com
I checked the DNS record in virtualmin and the key is there. Sorry for confusion but I'm not sure what I'm doing here to make it not work.
Submitted by JamieCameron on Tue, 05/24/2011 - 17:18 Comment #3
Looks like other mail servers aren't seeing your DKIM record in DNS.
I can take a look myself, but I'd need to know your actual domain name ..
Submitted by gl3ny on Tue, 05/24/2011 - 17:24 Comment #4
Yes the mail was relayed through virtualmin.
I've been using the online diagnostic tool ESPC by sending an email to "check-auth@verifier.port25.com" to check and it email me back these results:
Summary of ResultsSPF check: pass DomainKeys check: neutral DKIM check: permerror Sender-ID check: pass SpamAssassin check: ham
...and
DomainKeys check details:
Result: neutral (message not signed) ID(s) verified: header.From=xxx1@xxx1.com DNS record(s):
DKIM check details:
Result: permerror (key "2011._domainkey.xxx1.com" doesn't exist)
I also send email to gmail and see this in the header:
dkim=neutral (bad format) header.i=@ixxx1.com
I checked the DNS record in virtualmin for that domain and there is a key in there.
Submitted by gl3ny on Tue, 05/24/2011 - 17:25 Comment #5
icms1.com
Submitted by gl3ny on Tue, 05/24/2011 - 17:53 Comment #6
you got my domain name... icms1.com
let me know if theres anything else you need!
Submitted by JamieCameron on Tue, 05/24/2011 - 18:22 Comment #7
Thanks - I see the issue, which is that your domain's DNS is being hosted by domaincontrol.com and not your Virtualmin system. You will need to update the nameservers with your registrar to use your system as the NS for the domain.
Submitted by gl3ny on Tue, 05/24/2011 - 18:41 Comment #8
Awesome thanks!
I've never used Virtualmin NS's how can i see what they are called. Is that in BIND DNS Server?
Submitted by gl3ny on Tue, 05/24/2011 - 18:58 Comment #9
its ok i've found what looks like a good post i can do some reading up on...
http://www.virtualmin.com/node/4744
Do I need to get 2 more ip addresses though or can i get away with 1 more?
Submitted by JamieCameron on Tue, 05/24/2011 - 19:23 Comment #10
You can usually get away with just having 2 IPs in total.
Submitted by gl3ny on Tue, 05/24/2011 - 19:38 Comment #11
"Thanks - I see the issue, which is that your domain's DNS is being hosted by domaincontrol.com and not your Virtualmin system. You will need to update the nameservers with your registrar to use your system as the NS for the domain."
I've never really messed with NS's so sorry if this sounds dumb. What i don't understand about what you've said here is that my understanding, in a perfect world you should have 2 NS's and your web/mail server all in 3 different locations. So having them all on the same system how is this going to be good?
Is it because DKIM keys reside on the NS's or something and with domaincontrol.com I don't have access to them?
I have another server already in another location with virtualmin on it so I'm thinking I should use this
You can host your DNS elsewhere, but you'll have to managed the DKIM records yourself, if you do that. Obviously, if Virtualmin doesn't control your DNS, it can't manage anything that relies on DNS records.
And, yes, you can use your other Virtualmin server as a slave DNS. There's docs for setting that up here: http://www.virtualmin.com/documentation/dns/slave-configuration
Submitted by gl3ny on Wed, 05/25/2011 - 13:32 Comment #13
I found I much simpler solution that worked for me for now. I just added the DKIM key that virtualmin generated to the godaddy dns. So now I have a DKIM pass! I find all this DNS confusing so I'm going to pass on it for now. I'll just stick with simpler solutions to get the mail server working :)
The next problem I have i getting a pass with Domain Keys
DomainKeys check details:
Result: neutral (message not signed) ID(s) verified: header.From=xxx1@xxx1.com DNS record(s):
How does virtualmin handle domain keys?
It doesn't. DKIM is a newer variant of DomainKeys. DomainKeys is pretty much deprecated, though still used by some providers. Use DKIM. Don't worry about DomainKeys, as they will eventually go away completely.
Submitted by gl3ny on Wed, 05/25/2011 - 14:05 Comment #15
Ok but I thought some mail services are still using it. I tested with these results to gmail, hotmail and yahoo. Messages are still going to junk/spam
==========================================================
Summary of ResultsSPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham
Any other ideas?
Thanks for your patients!
Submitted by JamieCameron on Wed, 05/25/2011 - 14:16 Comment #16
Those results look pretty good to me .. it looks like everything passes except DomainKeys.
I tested with these results to gmail, hotmail and yahoo.
None of these provides blocks on DKIM or DomainKeys. i.e. DKIM and DomainKeys was and is not the cause of your mail ending up in spam.
You probably have DNS configuration problems. That's the cause of probably 90% of email delivery problems.
Does your IP reverse-resolve (do you have a PTR record for your IPs, or does your hosting provider provide PTR records for your IPs)? That'd be the most likely culprit.
Submitted by gl3ny on Wed, 05/25/2011 - 16:51 Comment #18
I started getting hotmail and yahoo going through sporadically, a bit hit and miss. The PTR and rDNS checked out ok in MX Tools.
But my SPF record looked like this... v=spf1 a mx ptr ~all
someone suggested to change it to this... v=spf1 ip4:190.120.232.50 ?all
I got my first email go into gmail inbox. They are all sporadic now. Is that the best I'm going to get?
Submitted by JamieCameron on Wed, 05/25/2011 - 16:53 Comment #19
It is hard to say more without knowing why gmail is treating your email as spam ..
Perhaps you could try emailing me at jcameron@webmin.com , so I can see what spam classification is being done?
Submitted by gl3ny on Wed, 05/25/2011 - 17:25 Comment #20
sure, I've sent you the emails, thank you.
I noticed in the gmail header its checking for Domain Key and DKIM.
But what strange is "test mode".... dkim=pass (test mode) header.i=@icms1.com
perhaps I have to include Domain Key for gmail???
Submitted by JamieCameron on Wed, 05/25/2011 - 18:39 Comment #21
I got both your emails .. and neither were classified as spam or close to spam by my mail server.
So I'm not sure why gmail would be considering you a spammer ..
Submitted by gl3ny on Wed, 05/25/2011 - 19:42 Comment #22
I found this info on google for bulk sender...
http://mail.google.com/support/bin/answer.py?answer=17205#Complete
Its basically troubleshooting questionnaire. I answered all the questions appropriately and got to a contact for to get them to investigate. Also I read somewhere in googles docs that if you send emails that don't comply then it will damage your reputation temporarily. So it might be ok in the end. It would be nice to find out if my reputation is in a repairable state before I send emails for real but I don't know how I'm going to do that because gmail won't send a report.
Oh, if you've sent large mail batches, if a handful of your users marked mail from your server as spam, you could end up classified as a spam sender that way. The large mail providers are pretty unforgiving when their users report spam.
It's hard to say without knowing more about why they're blocking you.
Submitted by gl3ny on Wed, 05/25/2011 - 21:30 Comment #24
no I've sent 1,2 or 3 messages at a time, all to my own email accounts an not marked any of them either way.