Configurating DKIM and SPF, key not secured

Question

On a Ubuntu 20.04 VPS, installing opendkim via sudo apt install opendkim opendkim-tools proceeds as expected, following the steps provided here.

However, upon testing, while e-mails get sent in practice to the targetted mailbox with a very low spam score (3.9) and thus percolate outside of spam filetering,

sudo opendkim-testkey -d domain.tld -s default -vvv

returns unexpected and somewhat contradictory conclusions:

opendkim-testkey: key not secure
opendkim-testkey: key OK

The key is OK, but not secure. This puts into doubt the 'OK' bit. What has to be done to make the key secure?

Update

Following suggestion in comments, contents of opendkin.conf follow:

Syslog                  yes
Logwhy                  yes
UMask                   007

Canonicalization        relaxed/simple
Mode                    sv
SubDomains              no

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256
Socket                  local:/run/opendkim/opendkim.sock
PidFile               /run/opendkim/opendkim.pid
OversignHeaders         From
TrustAnchorFile       /usr/share/dns/root.key

include
UserID                opendkim
KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table
ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts       /etc/opendkim/trusted.hosts

Does this answer your question? [opendkim-testkey: key not secure](https://serverfault.com/questions/1048491/opendkim-testkey-key-not-secure) — Gerald Schneider, Feb 20 '23 at 08:18
alas, not, as the conf file already has `TrustAnchorFile /usr/share/dns/root.key` set — Jerome, Feb 20 '23 at 08:41
Ah, no. So that explains the situation. Do you have a judgement call on criticality of said entry? — Jerome, Feb 20 '23 at 09:10

Configurating DKIM and SPF, key not secured

0 Answers0