DKIM validating, but mxtoolbox reports as “DKIM-Signature Not Verified”

dkimemailemail-server

I'm trying to figure out why a lot of emails from one of my sites are not getting through (in particular sky.com and gmail.com).

With my server, we have a tool that generates the DNS records for us:

RECORD            TTL         TYPE      VALUE
------            ---         ----      -----
_domainkey        3600   IN   TXT      "t=y; o=~;"
mail._domainkey   3600   IN   TXT      "k=rsa; p=xxxx"

(xxx is the full key)

This is what I have in my DNS record TXT records:

mail-tester.com comes back with this (which all looks good);

…yet mxtoolbox comes back with:

The frustrating part is that if I check the original email on my own gmail.com account, it comes back as DKIM valid:

What is the DKIM-Signature Not Verified error telling me? I'm at my witts end trying to get deliverability up (I've tried testing via GlockApps and it still comes back with lots of rejections for whatever reason). I must be missing something

UPDATE 2: Unfortunately MXToolbox is still ranking this as a problem. Every other tool says its fine though, so I'm wondering if its a false positive. Using GlockApps I can now see its only the Gmail stuff that gets bounced out of their tests:

I've read up about it – and it sounds like we may have shot ourselves in the foot when informing people about the crappy GDPR stuff that came out a while back. We emailed everyone (before it came in), to make them aware we would not be able to contact them if they don't give us permission. Maybe gmails filters picked that up as spam (as quite a lot of our users are on gmail), and punished us for it. Oh the irony! So now it sounds like the only way around it, is to ask people to check their SPAM box (and mark as "not spam")

Best Answer

Well for starters: Your TXT record is wrong.

If you are sending mail from the domain example.com with a key named mykey (aka the selector), then the syntax is:

mykey._domainkey.example.com     IN TXT    "v=DKIM1; p=xxx"

You might also want to add t=s.

When you are confident that key signing and verification works, then I would recommend you add a DMARC and ADSP resource record, because it informs receiving mail server about what it should do, in case it receives a mail that is unsigned or using wrong key.

Syntax is simple enough (based on my own mail server settings):

_adsp._domainkey.example.com  IN TXT  "dkim=all"
_dmarc.example.com            IN TXT  "v=DMAR1; p=quarantine;  sp=reject; pct=100; adkim=s; aspf=s; rua=mailto:mail@example.com; ruf=mailto:mail@example.com; rf=afrf; ri=86400; fo=1

UPDATE

If you send a test mail to for instance a Gmail account, then there is an easy way to see if DKIM and DMARC is up and running.

I have enabled DKIM for my own domain molgaard.eu, so among others an email from me to Gmail will contains these headers:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@molgaard.eu header.s=mar2018 header.b=db8+ExPV;
       spf=pass (google.com: domain of ... as permitted sender) smtp.mailfrom=...;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=molgaard.eu

<SNIP>

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=molgaard.eu; 
h=content-language:x-mailer:content-type:content-type:mime-version
:message-id:date:date:subject:subject:from:from; s=mar2018; t=1583565649; 
x=1585380050; bh=...; b=...

The selector for my mails is called mar2018, since that is the month and year I made the key. :-)

And as you can see from Authentication-Results, both DKIM and DMARC passes (and SPF too), which means mails from my mailserver should land in peoples inbox - instead of a spam folder. :-)

And actually my policy a bit more strict, since I have declared in my DMARC record, that any mail not signed or signed with wrong key should be tossed out instead of landing in any folder at receiver. :-)

Related Solutions

Dkim-milter appears not to be signing the emails correctly

Well I fixed it on my own. dkim-milter is a useless piece of deprecated garbage :D. I did a yum remove dkim-milter and then a quick yum install opendkim. I followed the directions in this article for setting up OpenDKIM and got er done. It started signing my emails and I was a happy guy. I did have to change the setting in my conf file in tip 2 on that article.

Tip 2: If OpenDKIM is starting properly and logging to your mail log, but your outgoing mail isn’t getting signed, the first thing to check is whether the default operating mode is still set to the default verification only (v) instead of sign and verify (sv) in /etc/opendkim.conf. Change the Mode to sv, restart OpenDKIM, and try sending your test message again.

Debian – DKIM header exists but signature is not valid

Now the validator at mail-tester.com says the DKIM signature is fine. On the other hand the isnotspam.com still doesn't seem to like it. I assume it is working fine now. Also gmail accepts the email.

The change I made:

I changed the smtpd_tls_cert_file=.. smtpd_tls_key_file=..

to hold the keys for the primary domain. However my VPS contains several domains, so it still remains to be seen what happens with mails from

someone@example2.com

First the postfix SSL certs have absolutely nothing to do with DKIM so that was different issue you had.

Second if you still are getting errors at isnotspam.com then don't assume everything is alright until you get a green light on all tests.

Third create new signatures for each domain and make sure the DNS entry is correct as well as permissions on the signature files.

Also make sure your postfix/main.cf has the proper entries and the .sock actually exists.

    # DKIM / SPF
# --------------------------------------
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Check mail logs for errors, warnings after restart opendkim, should look something like this:

Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter: mi_stop=1
Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter v2.11.0 terminating with status 0, errno = 0
Feb 21 17:18:23 serverdcu opendkim[37449]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)

Best Answer

Related Solutions

Dkim-milter appears not to be signing the emails correctly

Debian – DKIM header exists but signature is not valid

Related Topic