DKIM set on AWS EC2 but mail header says none in Outlook

Question

I'm configuring an AWS EC2 instance with Postfix, and have set it up with Route53 including reverse DNS. I've tested that I can send emails, and Outlook receives them fine, but Gmail does not. I followed this guide to install and configure opendkim, and when I use this validator, I get this message stating that it's a valid DKIM record. However, when I use this validator, I get the response that "This message does not contain a DKIM Signature". Furthermore, when I send the email to Outlook, it goes in the main inbox, but I get the following results from authentication:

Authentication-Results: spf=pass (sender IP is x.x.x.x)

 smtp.mailfrom=mail.example.com; mail.outlookserver.com; dkim=none (message not

 signed) header.d=none;mail.outlookserver.com; dmarc=pass action=none

 header.from=mail.example.com;compauth=pass reason=100

The IP address of x.x.x.x is a substitution for my mail server's IP address, and mail.example.com is the FQDN of my mail server. mail.outlookserver.com is the Outlook mail server. Evidently, the SPF and DMARC records pass, however the DKIM record does not. I have the DKIM record set in AWS Route 53 as shown here and here, and I can do a dig and have it return the expected value, where $key is my public key:

andreaskralj@linuxdev:~$ dig +short TXT mail._domainkey.example.com
"v=DKIM1; h=sha256; k=rsa; " "p=$key"

I'm unsure why my DKIM record isn't perceived as valid by Outlook or the other validator. If anyone has any ideas of what I can try or needs any more information, please let me know.

Edit:

I tried to add the following lines in /etc/postfix/master.cf:

pickup    unix  n       -       y       60      1       pickup
  -o smtpd_milters=inet:localhost:8892
  -o non_smtpd_milters=inet:localhost:8892

The pickup line was already there; I added the -o lines according to the suggested answer by @Lasse Michael Mølgaard. Unfortunately, my email headers still say that the DKIM is set to none.

How are you sending and receiving emails? Are you using SMTP / Submission or ActiveSync for sending? — Lasse Michael Mølgaard, Feb 13 '20 at 16:41
I'm not receiving any emails, I'm only sending them over SMTP using the linux mail utility. I'll run the following command: `echo "This is a test" | mail -s "Test Email" andreaskralj@emailaddr.com` and it'll be received in the default inbox in Outlook, however dkim will be set to "none" — AndreasKralj, Feb 13 '20 at 17:27
Ah... That is problebly because even though `mail` is supposed to send via SMTP - it doesn't it uses `maildrop` which is then picked up by `pickup` deamon before it is fed to Postfix. I had same issue when getting mails from ActiveSync vs SMTP or Submission. Hence why I gave my hint. Sometimes it is really like taking a tumble "Alice in Wonderland"-style and see how far down the rabbit hole you fell. — Lasse Michael Mølgaard, Feb 13 '20 at 18:04

Lasse Michael Mølgaard · Answer 1 · 2020-02-14T21:15:57.757

Suggestion based on my comment:

I use amavis to sign my mails, so I have added a line underneath the default pickup line with -o content_filter=..., so it now states.

pickup    unix  n       -       y       60      1       pickup
    -o content_filter=amavis:[127.0.0.1]:10026

Im wondering if you can use smtpd_milters and non-smtpd_milters the same way?

EDIT

If you want to use Amavis DKIM to sign mail, you need to tweak your master file a little more.

Default setting is when you forward something to Amavis (in my case port 10026) then Amavis will return the result using a port one higher (in my case 10027).

I therefore have the following entry in my master.cf file:

amavis unix - - y - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o smtp_bind_address=

127.0.0.1:10027 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtp_send_xforward_command=yes
-o milter_default_action=accept
-o milter_macro_daemon_name=ORIGINATING
-o disable_dns_lookups=yes

The way Amavis knows how to send the signed result back to Postfix is from this part in /etc/amavis/conf.d/50-user:

# :* = send to incoming Port + 1
$forward_method = 'smtp:127.0.0.1:*';
$notify_method = 'smtp:127.0.0.1:*';
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
  originating => 1,
};

There is a very short signing example with Amavis here

Thanks for the reply. I'll test it out and see if it worked. — AndreasKralj, Feb 13 '20 at 18:29
Sorry it took me a bit to get back to you. I tried this, unfortunately it didn't work. I edited the question accordingly, please verify that the syntax I used is correct according to your suggestion. — AndreasKralj, Feb 14 '20 at 17:17
Well I had issues using the milter approach too. Hence why I ended up using Amavis. I already used it for filtering inbound mails for spam and virus and since it also works with DKIM signing and checking, well... That just another plus in my book. I updated my answer with the Amavis version. :-) — Lasse Michael Mølgaard, Feb 14 '20 at 21:08
Thanks for the recommendation. I'll try working with Amavis. — AndreasKralj, Feb 14 '20 at 21:40

DKIM set on AWS EC2 but mail header says none in Outlook

1 Answers1