DKIM is invalid

Submitted by rubenz on Fri, 07/03/2015 - 08:48

Hi. I'm unable to get DKIM working.

When I'm enabling DKIM for all Virtual servers, it includes "d=*" in a signed message. DKIM Validators are looking for default._domainkey.* and can't find it, since DNS record is set to default._domainkey.astgeek.com. As a result - Invalid DKIM and spam folders.

Here validation results: http://dkimvalidator.com/results?email=3tf7fo0B3AW3Gc@dkimvalidator.com

Can you please suggest what is the issue here, and what am I doing wrong? Please, let me know if any additional information is needed.

Status: 
Active

Comments

Submitted by JamieCameron on Sat, 07/04/2015 - 00:32

Can you attach the /etc/opendkim.conf file from your system to this bug report?

Submitted by rubenz on Sat, 07/04/2015 - 00:43

Hi, Jamie!

Thanks for responding. Please see files attached to this post for my opendkim.conf file.

Ruben

Submitted by rubenz on Sat, 07/04/2015 - 01:16

Some additional information:

Operating system: CentOS Linux 7.1.1503
Webmin version: 1.760
Virtualmin version: 4.17.gpl

# opendkim -V 
opendkim: OpenDKIM Filter v2.10.3

# postconf -d | grep mail_version
mail_version = 2.10.1

# named -v
BIND 9.9.4-RedHat-9.9.4-18.el7_1.1 (Extended Support Version)

Almost all settings were default, I just bought this VPS and imported my sites from CPanel backup, plus created some additional top-level virtual servers for new projects. OpenDKIM is installed by Virtualmin. I've installed bind and postfix using yum before installing Virtualmin, but it looks like Virtualmin is fine with it.

The contents of KeyTable, SigningTable and domains are default.

SigningTable:

    * default

KeyTable:

    default *:default:/etc/opendkim/keys/default.private

Under /etc/dkim-domains.txt there is a list of domains and subdomains in my install.

Let me know if you need additional information I can provide.

Submitted by rubenz on Mon, 07/06/2015 - 23:33

Jamie,

After some debugging I've ended up with this solution:

Manually adding for all domains:

SigningTable (/etc/dkim-signingtable):

*@example.com default._domainkey.example.com

KeyTable (/etc/dkim-keytable):

default._domainkey.example.com example.com:default:/etc/dkim.key

*For each domain replace example.com with it.

File permissions were fine, /etc/dkim-domains.txt and opendkim.conf files were edited normally by virtualmin. Enabling/disabling Domain Keys, or reinstalling opendkim had no effect.

The reason may be in file dkim-lib.pl, it may handle incorrectly parked domains from cpanel. In my configuration I had virtual servers structure like this after importing from cpanel backup:

firstdomain.com
    anotherdomain1.com
    anotherdomain2.com

    seconddomain.firstdomain.com
       seconddomain.com
    thirddomain.firstdomain.com
       thirddomain.com
    .......
    et cetera

Since now my dkim is fine, I'm stopping further investigation, please, let me know if you'll need additional details, I'll be happy to provide.

Regards, Ruben

Submitted by JamieCameron on Wed, 07/08/2015 - 00:45

If you add another test domain to your system, does Virtualmin create the correct entries in the /etc/dkim-signingtable and /etc/dkim-keytable files?

Submitted by rubenz on Wed, 07/08/2015 - 02:00

When I'm adding a test domain, it adds correct DNS entries, adds the domain to /etc/dkim-domains.txt, but signing table and keytable still are not modified. Permissions and owner for keytable, signing table and domains.txt are the same.

Submitted by JamieCameron on Thu, 07/09/2015 - 01:00

It looks like the current Virtualmin code only adds KeyTable and SigningTable entries when a custom key is specified for the domain - otherwise it just uses the * entry in those files. I will look further into why this isn't working though..

Submitted by rubenz on Fri, 07/10/2015 - 16:46

I may try to experiment with it later too, I'll post any results I got.

Thanks!

Ruben

Submitted by JamieCameron on Sun, 07/12/2015 - 15:30

Ok, I think I have a fix here - it looks like some versions of opendkim use a different format for the signingtable file.

Try editing /etc/dkim-signingtable , and in the default line changing the * to % , then running service opendkim restart

Submitted by beat on Tue, 12/12/2017 - 17:10

Replying to this old thread, since I just ran now into this issue:

I had no success when editing dkim-signingtable as instructed just above, dkim stopped signing, so reverted my change.

But when doing this change * to % to default line only to the /etc/dkim-keytable and restarting opendkim as instructed, the wrong d=* became d=example.com (right domain!). And dkim validation worked with a test with http://dkimvalidator.com which didn't work with d=*.

Is that change of * to % in /etc/dkim-keytable correct ?

Has that been fixed in Virtualmin in the mean time ?

Should I edit that file on all my Virtualmin instances, or will next update auto-fix that ?

Submitted by JamieCameron on Wed, 12/13/2017 - 17:11

Virtualmin won't auto-update this in existing domains - you'd need to change it manually