How to get DKIM to authenticate

domainkeyssendmail

I've got sednamil, dkim-milter both running on RHEL4.

DNS and config files look like:

TXT record:
mail._domainkey.MYDOMAIN.com IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=….snip…TRM3w7CuYnQIDAQAB"

TXT record:

_adsp._domainkey.MYDOMAIN.com. IN TXT "dkim=unknown"

/etc/dkim.conf

Canonicalization simple
Domain MYDOMAIN.com,MY2ndDOMAIN.com
KeyFile /var/db/dkim/mail.key.pem
MTA MSA
Selector mail
Socket inet:8891@localhost
SignatureAlgorithm rsa-sha256
Syslog Yes
Userid dkim
X-Header Yes
Mode sv
InternalHosts /etc/dkim-internal-hosts

/etc/dkim-internal-hosts

MYDOMAIN.com
MY2ndDOMAIN.com
127.0.0.1

Now, when I send an email as a test, I don't see anything in the headers about DKIM being authenticated, although the key does appear: 

X-DKIM: Sendmail DKIM Filter v2.8.3 MYDOMAIN.com o7FLH1Wa032083
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=MYDOMAIN.com; s=mail;
t=/XKdLCPjaYaY=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:
 Content-Transfer-Encoding;
b=qetPkilXBdjnuqiKIyvAwsvTvJfAnq5urdgp/i7p/uLJ8DB+svy9A8C6CPmcfELsJ
 hDid5k2AN5JD+wM2INmUIgjeAa/IwpGTbuMloj0Wioh4njqIfbATJqOhuqxTjic

If I type in:

# host -t txt mail._domainkey.MYDOMAIN.com

I get:

Host mail._domainkey.MYDOMAIN.com not found: 3(NXDOMAIN)

What could I be missing?

Best Answer

It looks like your DNS is setup incorrectly. You need to put in your public key that you generated when initially setting up DKIM. A sample DKIM record is as follows:

$ dig +short TXT dkim._domainkey.twitter.com
"v=DKIM1\;" "g=*\;" "k=rsa\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZ6zwKHLkoNpHNyPGwGd8wZoNZOk5buOf8wJwfkSZsNllZs4jTNFQLy" "6v4Ok9qd46NdeRZWnTAY+lmAAV1nfH6ulBjiRHsdymijqKy/VMZ9Njjdy/+FPnJSm3+tG9Id7zgLxacA1Yis/18V3TCfvJrHAR/a77Dxd65c96UvqP3QIDAQAB"

Everything after the p= is the public key. Just paste it all on one line. The value that comes before the _domainkey is called your selector. In the twitter example above, their selector is dkim. From your /etc/dkim.conf file, it looks like your selector is called simply mail. So your DNS record should be:

mail._domainkey.MYDOMAIN.com. IN TXT "v=DKIM1; k=rsa; t=s; p=<yourpublickey>"

Once that's setup and after the record has propagated, you should get the full record when you run the following:

$ dig +short TXT mail._domainkey.MYDOMAIN.com

Hope this helps.

Related Topic