Dkim verification keeps failing bad signature

dkimemail-serveropendkimpostfixsmtp-headers

My DKIM verification keeps failing, and I can't figure out why.
It's signed though, but wrong.

When I check domain and selector it turns out as valid, so problem is with signing.

Here is a dump of one test email:

============================================================================
This is SPF/DKIM/DMARC/RBL report generated by a test tool provided 
    by AdminSystem Software Limited.

Any problem, please contact support@emailarchitect.net
============================================================================
Report-Id: a511e572
Sender: dule@example.com
Source-IP: 11.22.33.44
============================================================================
Original email header:

x-sender: dule@example.com
x-receiver: test-a511e572@appmaildev.com
Received: from host1.example.biz ([11.22.33.44]) by appmaildev.com with Microsoft SMTPSVC(8.5.9600.16384);
     Wed, 25 Jan 2017 07:25:09 +0000
Received: from host1.example.biz (localhost [127.0.0.1])
    by host1.example.biz (Postfix) with SMTP id DB0A3164364
    for <test-a511e572@appmaildev.com>; Wed, 25 Jan 2017 08:25:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
    s=2016; t=1485329108;
    bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
    h=From:Subject:To:Date:From;
    b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
     z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
     wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
     LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
     jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
     6rQnOaNhmvSaQ==
From: "dule" <dule@example.com>
Subject: d
To: test-a511e572@appmaildev.com
Message-Id: <1485329108.10136@example.com>
X-Mailer: Usermin 1.690
Date: Wed, 25 Jan 2017 08:25:08 +0100 (CET)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="bound1485329108"
Return-Path: dule@example.com
X-OriginalArrivalTime: 25 Jan 2017 07:25:09.0615 (UTC) FILETIME=[28C68FF0:01D276DC]

============================================================================
SPF: Pass
============================================================================

SPF-Record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Sender-IP:11.22.33.44
Sender-Domain:example.com

Query TEXT record from DNS server for: example.com
[TXT]: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Parsing SPF record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all

Mechanisms: v=spf1

Mechanisms: mx
Testing mechanism mx
Query MX record from DNS server for: example.com
[MX]: mail.example.com
Testing mechanism A:mail.example.com/128
Query A record from DNS server for: mail.example.com
[A]: 11.22.33.44
Testing CIDR: source=11.22.33.44;  11.22.33.44/128
mx hit, Qualifier: +

============================================================================
DKIM: fail
============================================================================

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
    s=2016; t=1485329108;
    bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
    h=From:Subject:To:Date:From;
    b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
     z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
     wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
     LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
     jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
     6rQnOaNhmvSaQ==
Signed-by: dule@example.com
Expected-Body-Hash: GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=
Public-Key: v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9jrAe+o1L/g0pQefC4AdVPmN2gS2ODghLhfzir0xKTBLl3U+2X33DCStxvHdaLJZYVlKu9PDwr5yXvX4izX5ZnM/gEIm2p3ij0ykQu7Phz6GUvBoozLGPM2876dEVuMZ/aZgqoC4BU8dXGIlif4mqyo6pM76gPwbcj9e98nY+NKJAdKpJV5fMO94wXZ/DjNjI4Sr6bWxrBOZZyh5Am9T/lbOgjjU26ejiroSw//MdXDNGBBp44llHSWEWuUfxamDHaR83UGqhV2gWLpJyrbJtp3Ic8nwuWc0Ko1fR7wbg+HW5OdF9WMf0Id2qTbKQlOSAzbz82Qh5Nj2RCBdBJ1hwIDAQAB;

DKIM-Result: fail (bad signature)

Here is a dump of opendkim.conf

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 2016

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no
#ADSPAction            continue

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)

#ATPSDomains            example.com
#SigningTable refile:/etc/dkim-signingtable
#KeyTable /etc/dkim-keytable

Best Answer

Actually it appears that above configuration and keys are OK, problem could have been with various tools for DKIM validation and google, that they are picking DNS changes with a delay.

I suggest doing DKIM tests 48hrs after you configure server.

Related Topic