1

I have generated and added a DKIM record with a selector: 2020.

The DKIM record seems to have been added successfully when I used a few DKIM checkers online but GMAIL (mailed-by is displayed whereas signed-by isn't when I check the info of the email that I sent from the server) and the MxToolBox report can't seem to detect a DKIM signature in the emails sent.

What could be causing this?

AndrewL64
  • 179
  • 18
  • One of the sites where I checked the DKIM record at is [this one](https://protodave.com/tools/dkim-key-checker/). – AndrewL64 Jun 15 '20 at 20:02
  • MXToolbox being broken could cause it. The other site works, as does a manual query of the DNS. – Michael Hampton Jun 15 '20 at 20:40
  • @MichaelHampton Hey hello again man! So I ended up using one of those "send an email here and we'll check your records" website and even those sites are saying I don't have a DKIM record even though I'm sure I do and the above site indicated that I did as you noticed too. – AndrewL64 Jun 15 '20 at 20:43
  • Even gmail is not recognising the DKIM certificate and not showing the `signed-by:` in the email header. – AndrewL64 Jun 15 '20 at 20:44
  • 1
    But you signed with the selector 2020? That's getting really odd, then. I'd post the headers from such a message. – Michael Hampton Jun 15 '20 at 20:49
  • Do you have a dummy email I can send a message using the server email from? Or should I just copy-paste the header here? And do I need to obfuscate anything from the header or it's safe to copy it as it is? – AndrewL64 Jun 15 '20 at 20:52
  • You can just use a message you've already tested with. And no, [we generally frown on obfuscation](https://meta.serverfault.com/q/963/126632). – Michael Hampton Jun 15 '20 at 20:53
  • @MichaelHampton Header added to question. I have only obfuscate the gmail account and left everything else unchanged. – AndrewL64 Jun 15 '20 at 20:58
  • Your message doesn't have a DKIM signature! – Michael Hampton Jun 15 '20 at 21:08
  • @MichaelHampton Yes. And I don't understand why because the DKIM checkers are saying I do have a DKIM record. – AndrewL64 Jun 15 '20 at 21:14
  • And I used virtualmin to generate the private and public keys btw. Not sure if that could be the reason for this though. – AndrewL64 Jun 15 '20 at 21:15
  • You have a DKIM record in the DNS. That doesn't mean you're signing your email. It means that DKIM signatures can be verified. – Michael Hampton Jun 15 '20 at 21:16
  • In Virtualmin, I have made sure to checked Yes to `Signing of outgoing mail enabled?`, `Reject incoming email with invalid DKIM signature?`and `Force generation of new private key?` when I initiated the DKIM request for all domains in my server. The only other option in the DKIM section is `Size of new DKIM key` which I manually wrote 2048. Is there something else that I should do after generating the keys? – AndrewL64 Jun 15 '20 at 21:23
  • Well, if you're using virtualmin you're beyond our ability to help here. – Michael Hampton Jun 15 '20 at 21:35
  • @MichaelHampton I understand. I really appreciate the help though. Thanks man. – AndrewL64 Jun 15 '20 at 21:37
  • `DKIM` is not an actual record type, it is a `TXT` with a specific structure. If you query for `2020._domainkey.shillong.work TXT` you will see it. The URL of your tool seems to give incorrect result, if you put this record name, it shows it properly. And validates it. You see it by using this link instead https://mxtoolbox.com/SuperTool.aspx?action=dkim%3Ashillong.work:2020&run=toolpage. DNSViz is also happy at https://dnsviz.net/d/2020._domainkey.shillong.work/Xuf4dA/dnssec/ so there is no problem on the DNS side of things. – Patrick Mevzek Jun 15 '20 at 22:43

1 Answers1

2

So I have figured out the problem. On checking the error logs in /var/log/mail.log, I noticed multiple lines with the same error:

warning: connect to Milter service inet:localhost:8891: Connection refused

On googling this, I found numerous other people going through the same problem and finally came across a forum discussion about this issue (this is an issue with opendkim btw and not with virtualmin as I initially thought) and figured out that opendkim was not using the correct port (8891) and all I needed to do was:

  1. Un-comment the following line (remove the trailing #) from /etc/opendkim.conf:
Socket                  inet:8892@localhost
  1. On that same line, change 8892 to 8891:
Socket                  inet:8891@localhost
  1. Comment the following line (Add a trailing #) from /etc/opendkim.conf:
#Socket                 local:/var/run/opendkim/opendkim.sock

You can now simply restart opendkim by running the following command (Ubuntu):

service opendkim restart

And also restart apache by running the following command (Ubuntu):

service apache2 restart

And your outbound emails should start including the DKIM signature in your email header.

AndrewL64
  • 179
  • 18