Debugging dkim=fail using sendmail+dkim-milter

dkimsendmail

I'm setting up a CentOS server with the sendmail MTA to send DKIM-signed mail (sending domain is @brighter.do). I have succeeded in routing mails through the dkim milter; however, they arrive at my GMail account with dkim=fail authentication results and no further information. How do I begin to debug this (besides Googling 'debug failed dkim' and other such related terms)?

I used the config described in these instructions. The only additional config changes I made were adding my app user to /etc/mail/trusted-users, adding EXTRA_FLAGS=-R to /etc/sysconfig/dkim-milter, and switching Canonicalization to relaxed/relaxed (which didn't appear to change anything). I've verified that the key is 2048 bits using ssh-keygen -l -f app1. (It seems that a too-small key can cause GMail to reject a valid DKIM signature but that doesn't appear to be my problem.)

The contents of my relevant DNS records are:

APP1._DOMAINKEY.BRIGHTER.DO. TXT k=rsa; p=AAAAB3NzaC1yc2EAAAADAQABAAABAQC3pJ4UJW/KBQ2D6N/6kl37yqJ0F4NcKPGApyHw4wl2zohdOPp8rELvQnRgvmQUMu3hrgicD9W9LbnGx/CzakZAA4RcJk9kI51v+Y8L5j3lZURFC1ZIXoRFgfafyo31XN3rc+V0hNMXUGcxVI09oYtyS+2AuC9cULP4Nu030I3yYFd2NOwmKPY57PU3ybwGKEvuWsB/9PyWC6KVlULlkg7TB
APP1._DOMAINKEY.BRIGHTER.DO. TXT CwbMnGyavwIeoJpNlb1fINdDGWDAJvfTTpMGvIkQAehknbgBqL4IgciWQ/2xw6bMhma7MRJHzZsd7JfbNramQIpsxX6hZUkZja6HpoFJzBi1vbnLcM2n8Xhat/A1Q/F
_DOMAINKEY.BRIGHTER.DO. TXT o=~ r=angela@brighter.do

The headers I'm getting are:

Received-SPF: pass (google.com: domain of info@brighter.do designates 54.201.111.245 as permitted sender) client-ip=54.201.111.245;
Date: Wed, 23 Mar 2016 21:10:11 GMT
Message-Id: <201603232110.u2NLABrt007869@DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM>
To: angela@brighter.do
Subject: Test message
MIME-Version: 1.0
From: Brighter <info@brighter.do>

Note: since I know almost nothing about e-mail admin, it's possible that I'm omitting some key details here. In that event please help me improve the question by mentioning what additional info would be useful – e.g., other config files to include.

Best Answer

I know this question is two months old, but it is a top Google search result for the subject so I figured it deserved an answer.

I don't know what your second and third TXT entries are for. I have DKIM working properly now and I only have a TXT entry similar to your first one.

I followed instructions from Digital Ocean when setting up DKIM on Ubuntu, but it didn't work properly right out of the box. I found this page to be very helpful in debugging my DKIM problem.

To verify that your DNS TXT entry is being read correctly, type the following on the linux command line:

dig +short TXT APP1._domainkey.brighter.do

I'm using GoDaddy for DNS and I didn't need the domain name as part of my domain key string. Instead, I just needed the subdomain portion in the name field, as follows:

mail._domainkey

(I'm using "mail" instead of "app1" to specify my domain key.)

I hope this helps anyone with a similar problem. Once you get DKIM working properly, you'll realize that it's not that confusing. Good luck!

Where are the logs?

The default location depends on your linux/unix system, but the most common places are

/var/log/maillog
/var/log/mail.log
/var/adm/maillog
/var/adm/syslog/mail.log

If it's not there, look up /etc/syslog.conf. You should see something like this

mail.*         -/var/log/maillog

sendmail writes logs to the mail facility of syslog. Therefore, which file it gets written to depends on how syslog was configured.

If you system uses syslog-ng (instead of the more "traditional" syslog), then you'll have to look up your syslog-ng.conf file. You'll should something like this:

# This files are the log come from the mail subsystem.
#
destination mail     { file("/var/log/mail.log"); };
destination maillog  { file("/var/log/maillog"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr  { file("/var/log/mail.err"); };

Unable to send out emails?

One of the most common reason I've seen for a freshly installed sendmail not being able to send out emails is the DAEMON_OPTIONS being set to listen only on 127.0.0.1

See /etc/mail/sendmail.mc

dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

If that's your case, remove the "Addr=127.0.0.1" part, rebuild your conf file and you're good to go!

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

[root@server]$ m4 sendmail.mc > /etc/sendmail.cf
[root@server]$/etc/init.d/sendmail restart

If you've been making changes to /etc/sendmail.cf manually thus far (instead of the *.m4 file) you can make similar changes in /etc/sendmail.cf. The offending line will look like this:

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

Change it to:

O DaemonPortOptions=Port=smtp, Name=MTA

Emails are going to spam

The following is based off of the IP I see in your logs as the mail sending IP of 67.55.9.182.

You have a PTR entry, which is good.

;; ANSWER SECTION:
182.9.55.67.in-addr.arpa. 14400 IN      PTR     dsl-67-55-9-182.acanac.net.

However your forward and reverse should match ideally. The reverse entry leads me to believe that you are running this off of a DSL ISP connection. That is enough to get your mail marked as spam in some systems. They do not like seeing mail coming from "home" or "consumer" connections.

Your IP is also listed in several blacklists:

67.55.9.182 is listed in dnsbl-3.uceprotect.net 
67.55.9.182 is listed in bl.spamcannibal.org

This will also result in your mail being sent to the spam bin.

Resolve the above issues and you will likely see your mail being accepted as ham. Hope that helps and let me know if you have any questions.

Best Answer

Related Solutions

Where to check log of sendmail

Where are the logs?

Unable to send out emails?

Emails are going to spam

Related Topic