DKIM fails

22 posts / 0 new
Last post
#1 Tue, 09/05/2017 - 12:17

DKIM fails

Hello, I configured virtualmin to sign with dkim. But mail-tester and reports invalid signature. I added my domain in "Additional domains to sign for", entered the key in my DNS record, and it is propagated. Whats could I check ? Thanks.

Tue, 09/05/2017 - 14:16

On seeing this messsage I decided to make sure the DKIM was working for myself. And it's not.

I've run a VirtualMin check and everything is reported as being OK. Regenerated the DKIM (just used save) and it tells me everything propagated correctly. But when I look at the email headers this is all I see :


Received: from [] (unknown [])

by (Postfix) with ESMTP id 5EED5C3EB8D6

for <>; Tue,  5 Sep 2017 12:10:07 -0600 (MDT)

DKIM-Filter: OpenDKIM Filter v2.11.0 5EED5C3EB8D6



From: Nigel Aves

I do know that this was working sometime ago, as far as I know I've not changed anything to do with email services.

Any ideas?

Tue, 09/05/2017 - 14:49
Joe's picture

What distro and version are y'all running?


Check out the forum guidelines!

Tue, 09/05/2017 - 15:00

Sorry, should have added this.

Operating system CentOS Linux 7.3.1611 Webmin version 1.852 Virtualmin version 6.00 Postfix Version: 2.10.1

Tue, 09/05/2017 - 15:03
Joe's picture

Is the opendkim package installed? (rpm -q opendkim)

We don't depend on it during installation because I thought Jamie had code to install it automatically when DKIM is enabled, but maybe that's either not working, or not true, and I need to add a dependency to our yum groups.

If it's not installed, try installing it:

# yum install opendkim

And, maybe restart postfix:

# systemctl restart postfix

And, see if things behave differently. If so, then it's just a dependency issue...if not, it's something we might need to rope Jamie in on (and it might need a Virtualmin update to fix).


Check out the forum guidelines!

Tue, 09/05/2017 - 15:13


Debian 9: Turn on DKIM. Then go to the console and enter:

  1. /lib/opendkim/opendkim.service.generate

  2. systemctl daemon-reload

  3. service opendkim restart

For test:

netstat -natpu | grep opendkim

Tue, 09/05/2017 - 15:23


Yes, opendkim is installed (and it was installed automatically when I built the server). I looked at the files in /etc/opendkim and none of them are modified, but I am assuming that Virtualmin stores the info somewhere else.

I have stopped and restarted Postfix. No difference.


Tue, 09/05/2017 - 15:40


I did try your test netstat -natpu | grep opendkim

I believe this looks good.

[root@apache-web-server ~]# netstat -natpu | grep opendkim tcp 0 0* LISTEN 25876/opendkim [root@apache-web-server ~]#

Tue, 09/05/2017 - 16:06
Joe's picture

I'll ask Jamie to chime in, as he knows better what magic is supposed to happen to loop DKIM signing into the mix when sending mail.

Here's the ticket about it, though I'll relay back any necessary info once I understand what's happening:


Check out the forum guidelines!

Wed, 09/06/2017 - 00:55

Joe. it also does not work with debian 9.

Wed, 09/06/2017 - 03:46

Hello, I am running Debian 8.9 Dkim is installed and running, my emails are signed but the signature is invalid.

Fri, 09/08/2017 - 15:06


I was looking through my log files trying to discover if this was a bug in VirtualMin or Operator Error - Me! :)

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: connect from unknown[]

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 4A67DC3EB8D6: client=unknown[]

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 774C3C3EB8D6: client=unknown[]

Sep 8 13:37:20 apache-web-server postfix/cleanup[28647]: 774C3C3EB8D6:

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: [] [] not internal

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: not authenticated

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: no signature data

Sep 8 13:37:20 apache-web-server postfix/qmgr[3361]: 774C3C3EB8D6:, size=1565, nrcpt=1 (queue active)

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: disconnect from unknown[]

Any thoughts?


Sat, 09/09/2017 - 11:02

Not sure if this is a bug or not, but discovered what was wrong.

First edit the /etc/opendkim/TrustedHosts filer and add your internal network

OPENDKIM TRUSTED HOSTS To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts may be added on separate lines (IP addresses, hostnames, or CIDR ranges). The localhost IP ( should always be the first entry in this file. ::1

Then edit /etc/opendkim.conf

and uncheck this line

Identifies a set "internal" hosts whose mail should be signed rather than verified.

InternalHosts refile:/etc/opendkim/TrustedHosts

Now dkim is written to email messages.

There should probably be an option added in Virtualmin dkim setup to add your internal networks.


Mon, 09/11/2017 - 09:33

Hi, My problem is different : my emails are signed, but the signature is invalid. I have no dkim error in postfix logs

Mon, 09/11/2017 - 11:26 (Reply to #14)

I would try:

Virtualmin -> Email Messages -> Domain Key Identified Mail

Force generation of new private key -> Yes


Wed, 09/13/2017 - 06:53

Here succeeded to not """added my domain in "Additional domains to sign for" """"

But generate the key in the virtualserver for that domain itself!

( virtual server > server configuration > domainkey options )

Then it should be in the dns ofcourse otherwise they didn't work, if third party external DNS you have to add this manually

If you use ase key "" default"" then problems could be there so better change "default" in what you like , you can read that her >

""""Do NOT enter default , as this can trigger a bug in the current Virtualmin release which deletes the /etc/default""""

Wed, 09/13/2017 - 07:35

noisemarine : I already tried that.

Jfro : I already added my domain, changed the "default" prefix, and added the key to my DNS.

Wed, 09/13/2017 - 07:59

I mean not add your domain there in that screen but to do the key generation it in the domain virtualserver itself. Open that screen on that domain again and you see your key to paste in dns record if needed, then you can check with dns or these keys are the same! Ofcourse after ttl time...

And try test first by sending mail out over webmail webmin function

so go to the ones domain virtual server and generate the key there so > ( virtual server > server configuration > domainkey options )

Mon, 09/18/2017 - 08:08

Jfro : I cannot remove my domain from "Additional domains to sign for" : I get his error : Finding virtual servers to enable DKIM for .. .. no servers with both DNS and email enabled were found! DKIM setup failed!

I do not host my virtual server DNS, I am using the one from my provider, but I did add my dkim key, I can see it with mxtoolbox And there is no "virtual server > server configuration > domainkey options" menu

Mon, 09/18/2017 - 17:21 (Reply to #19)
Joe's picture

It may be that Virtualmin won't sign for domains it doesn't host DNS for. I don't think that should be necessary, but you could try enabling DNS for this domain. It's harmless to do so...if nobody queries the DNS server on the Virtualmin host, it'll just sit there doing nothing.


Check out the forum guidelines!

Tue, 09/19/2017 - 02:08 (Reply to #20)

No, my emails are signed, but the signature is invalid

Mon, 09/18/2017 - 08:15

OK i'm only user/admin.

I have that option in menu, so i don't know how to help you.

Then ask Joe sorry.

We are ourselves only using third party DNS for Domains DKIM with Virtualmin 6 and CENTOS is working here, but it was a fresh VM6 install about 29-08 so not a updated older version of VM.

Topic locked