My DKIM verification keeps failing, and I can't figure out why.
It's signed though, but wrong.
When I check domain and selector it turns out as valid, so problem is with signing.
Here is a dump of one test email:
============================================================================
This is SPF/DKIM/DMARC/RBL report generated by a test tool provided
by AdminSystem Software Limited.
Any problem, please contact support@emailarchitect.net
============================================================================
Report-Id: a511e572
Sender: dule@example.com
Source-IP: 11.22.33.44
============================================================================
Original email header:
x-sender: dule@example.com
x-receiver: test-a511e572@appmaildev.com
Received: from host1.example.biz ([11.22.33.44]) by appmaildev.com with Microsoft SMTPSVC(8.5.9600.16384);
Wed, 25 Jan 2017 07:25:09 +0000
Received: from host1.example.biz (localhost [127.0.0.1])
by host1.example.biz (Postfix) with SMTP id DB0A3164364
for <test-a511e572@appmaildev.com>; Wed, 25 Jan 2017 08:25:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
s=2016; t=1485329108;
bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
h=From:Subject:To:Date:From;
b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
6rQnOaNhmvSaQ==
From: "dule" <dule@example.com>
Subject: d
To: test-a511e572@appmaildev.com
Message-Id: <1485329108.10136@example.com>
X-Mailer: Usermin 1.690
Date: Wed, 25 Jan 2017 08:25:08 +0100 (CET)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="bound1485329108"
Return-Path: dule@example.com
X-OriginalArrivalTime: 25 Jan 2017 07:25:09.0615 (UTC) FILETIME=[28C68FF0:01D276DC]
============================================================================
SPF: Pass
============================================================================
SPF-Record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Sender-IP:11.22.33.44
Sender-Domain:example.com
Query TEXT record from DNS server for: example.com
[TXT]: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Parsing SPF record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Mechanisms: v=spf1
Mechanisms: mx
Testing mechanism mx
Query MX record from DNS server for: example.com
[MX]: mail.example.com
Testing mechanism A:mail.example.com/128
Query A record from DNS server for: mail.example.com
[A]: 11.22.33.44
Testing CIDR: source=11.22.33.44; 11.22.33.44/128
mx hit, Qualifier: +
============================================================================
DKIM: fail
============================================================================
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
s=2016; t=1485329108;
bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
h=From:Subject:To:Date:From;
b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
6rQnOaNhmvSaQ==
Signed-by: dule@example.com
Expected-Body-Hash: GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=
Public-Key: v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9jrAe+o1L/g0pQefC4AdVPmN2gS2ODghLhfzir0xKTBLl3U+2X33DCStxvHdaLJZYVlKu9PDwr5yXvX4izX5ZnM/gEIm2p3ij0ykQu7Phz6GUvBoozLGPM2876dEVuMZ/aZgqoC4BU8dXGIlif4mqyo6pM76gPwbcj9e98nY+NKJAdKpJV5fMO94wXZ/DjNjI4Sr6bWxrBOZZyh5Am9T/lbOgjjU26ejiroSw//MdXDNGBBp44llHSWEWuUfxamDHaR83UGqhV2gWLpJyrbJtp3Ic8nwuWc0Ko1fR7wbg+HW5OdF9WMf0Id2qTbKQlOSAzbz82Qh5Nj2RCBdBJ1hwIDAQAB;
DKIM-Result: fail (bad signature)
Here is a dump of opendkim.conf
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 2016
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
#Mode sv
#SubDomains no
#ADSPAction continue
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)
#ATPSDomains example.com
#SigningTable refile:/etc/dkim-signingtable
#KeyTable /etc/dkim-keytable
Best Answer
Actually it appears that above configuration and keys are OK, problem could have been with various tools for DKIM validation and google, that they are picking DNS changes with a delay.
I suggest doing DKIM tests 48hrs after you configure server.