I'm trying to figure out why a lot of emails from one of my sites are not getting through (in particular sky.com and gmail.com).
With my server, we have a tool that generates the DNS records for us:
RECORD TTL TYPE VALUE
------ --- ---- -----
_domainkey 3600 IN TXT "t=y; o=~;"
mail._domainkey 3600 IN TXT "k=rsa; p=xxxx"
(xxx is the full key)
This is what I have in my DNS record TXT records:
mail-tester.com comes back with this (which all looks good);
…yet mxtoolbox comes back with:
The frustrating part is that if I check the original email on my own gmail.com account, it comes back as DKIM valid:
What is the DKIM-Signature Not Verified
error telling me? I'm at my witts end trying to get deliverability up (I've tried testing via GlockApps and it still comes back with lots of rejections for whatever reason). I must be missing something
UPDATE 2: Unfortunately MXToolbox is still ranking this as a problem. Every other tool says its fine though, so I'm wondering if its a false positive. Using GlockApps I can now see its only the Gmail stuff that gets bounced out of their tests:
I've read up about it – and it sounds like we may have shot ourselves in the foot when informing people about the crappy GDPR stuff that came out a while back. We emailed everyone (before it came in), to make them aware we would not be able to contact them if they don't give us permission. Maybe gmails filters picked that up as spam (as quite a lot of our users are on gmail), and punished us for it. Oh the irony! So now it sounds like the only way around it, is to ask people to check their SPAM box (and mark as "not spam")
Best Answer
Well for starters: Your TXT record is wrong.
If you are sending mail from the domain
example.com
with a key namedmykey
(aka the selector), then the syntax is:You might also want to add
t=s
.When you are confident that key signing and verification works, then I would recommend you add a
DMARC
andADSP
resource record, because it informs receiving mail server about what it should do, in case it receives a mail that is unsigned or using wrong key.Syntax is simple enough (based on my own mail server settings):
UPDATE
If you send a test mail to for instance a Gmail account, then there is an easy way to see if DKIM and DMARC is up and running.
I have enabled DKIM for my own domain
molgaard.eu
, so among others an email from me to Gmail will contains these headers:The selector for my mails is called mar2018, since that is the month and year I made the key. :-)
And as you can see from Authentication-Results, both DKIM and DMARC passes (and SPF too), which means mails from my mailserver should land in peoples inbox - instead of a spam folder. :-)
And actually my policy a bit more strict, since I have declared in my DMARC record, that any mail not signed or signed with wrong key should be tossed out instead of landing in any folder at receiver. :-)