I've had a mail server set up for quite a while now. It's been working fine, all the major email providers accept email from my server with no problem. However, at the time I set up the server, I also set up DKIM, and I thought that it was working this whole time. I recently went to mail-tester.com and it reported that it could not retrieve my public key. It does see that the DKIM header is properly added to the email, which is good, but without the public key it is of course useless for validation. dig mail._domainkey.website.ca TXT returns
; <<>> DiG 9.10.3-P4-Ubuntu <<>> mail._domainkey.website.ca TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32970
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail._domainkey.website.ca. IN TXT
;; ANSWER SECTION:
mail._domainkey.website.ca. 60 IN TXT "v=DKIM1; h=sha256; k=rsa; s=email;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDr0rbblJ2j7QrjLC2JGbRHqsU4kr3eNZ7cLL0o1VrR3O966++99SuIqUwwiaTg5lsgYvGuBlN2A5ekJK7Q9pjw5J9+yYY14jx0vxVjfS+kjfqn/tNp5+pHWWnnviZ2b9SIvqg36l/v0bMcPJVM8HuhQLFooz1M2wYi9QoQt5eslwIDAQAB"
;; Query time: 53 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Fri Apr 07 07:38:44 UTC 2017
;; MSG SIZE rcvd: 331
So what's up? Is the entry formatted incorrectly? I see various examples around the web, some with quotation marks, some without. I have tried it both ways now. I also added the same entry as default._domainkey but that may not have propagated through DNS yet. The same server also complained that my SPF record was present, but not duplicated as a TXT record. Is that normal practice? Why would you need it as both an SPF and a TXT?
Thanks in advance to all the DKIM experts out there 😉
EDIT: I've just verified that the selector (the s= field in the DKIM section of the email headers) is indeed set to mail. Therefore mail._domainkey should be the correct entry.
EDIT2: My DNS provider is CloudFlare.
EDIT3: I think I may have narrowed down the problem, but I still have no idea how to fix it. mail-tester.com says
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain mail.website.ca using the selector mail.
I'm thinking that because the d= field in the header is for mail.website.ca it's actually trying to find the record mail._domainkey.mail.website.ca which of course does not exist. But how to fix this? Should I generate a new key and drop the mail part of the domain? Or should I just add another DNS record? I'm curious as to what the best practice is.
EDIT 4: Alright, so it appears that mail-tester.com can now see the TXT record named mail._domainkey.mail, however it still complains that the public key is invalid. I decided to test my DKIM by sending an email to another server I control. Looking at the logs, the email server there was able to get the public key. Both SpamAssassin and OpenDKIM said that they were able to verify, which is good news (as that wasn't happening before). So I at least solved the important part of the problem. I am still very curious to figure out why mail-tester.com is still rejecting the TXT record (it's almost certainly due to formatting) and I'm worried that other DKIM implementations might have the same issue. I will leave this question up in hopes that someone can shed some light.
Best Answer
The selector is mail but the record contains s=email. You don't need the "s" and "h" field in the record. Also the breaking quotes aren't needed and you might need to add a semicolon after the key: