1

i'm setting up DKIM for my domain to sign outgoing mails.

I've got some issues on DNS configuration, because DNS configuration is mixed between external DNS (hosting) and a cloud server, which sends the emails.

Cloud server IP: 85.95.211.100 (fake)

External DNS

@   A   85.95.211.100
www A   85.95.211.100
_domainkey  NS  85.95.211.100

I've added the _domainkey as NS record to resolve it with the server DNS zone.

The zone foo.it in the cloud server

$ttl 600

foo.it. IN  SOA vm1613.cs17.providername.it. support.foo.it. (
            1369844294
            600
            600
            600
            600 )
foo.it. IN  NS  vm1613.cs17.providername.it.


201305._domainkey   IN  TXT "v=DKIM1; k=rsa; t=y; p=[long key]"   ; ----- DKIM key 201305 for foo.it

(changed from 201305._domainkey.deebate.it. to 201305._domainkey thanks to @Gnouc)

Now, when i dig with +trace i get:

root@vm1613:~# dig 201305._domainkey.foo.it txt +short +trace
NS a.root-servers.net. from server 8.8.8.8 in 30 ms.
NS b.root-servers.net. from server 8.8.8.8 in 30 ms.
NS c.root-servers.net. from server 8.8.8.8 in 30 ms.
NS d.root-servers.net. from server 8.8.8.8 in 30 ms.
NS e.root-servers.net. from server 8.8.8.8 in 30 ms.
NS f.root-servers.net. from server 8.8.8.8 in 30 ms.
NS g.root-servers.net. from server 8.8.8.8 in 30 ms.
NS h.root-servers.net. from server 8.8.8.8 in 30 ms.
NS i.root-servers.net. from server 8.8.8.8 in 30 ms.
NS j.root-servers.net. from server 8.8.8.8 in 30 ms.
NS k.root-servers.net. from server 8.8.8.8 in 30 ms.
NS l.root-servers.net. from server 8.8.8.8 in 30 ms.
NS m.root-servers.net. from server 8.8.8.8 in 30 ms.
TXT "v=DKIM1\; k=rsa\; t=y\; p=[long key]" from server 85.95.211.100 in 0 ms.
root@vm1613:~#

If i don't +trace, there aren't results (SERVFAIL).

When i test the key, i get:

root@vm1613:~# opendkim-testkey -d foo.it -s 201305 -k /etc/opendkim/201305.private -vvv
opendkim-testkey: key loaded from /etc/opendkim/201305.private
opendkim-testkey: checking key '201305._domainkey.foo.it'
opendkim-testkey: '201305._domainkey.foo.it' unexpected reply class/type (-1/-1)
[Exit 69]
root@vm1613:~#

because (i think) it doesn't resolve as TXT but as A record.

Why this difference with +trace?

I was thinking about DNS cache so i let pass three days, but the result is always this.

apelliciari
  • 179
  • 1
  • 11

1 Answers1

2

201305._domainkey.foo.it. is valid, so long as it has that trailing dot. redundant info perhaps, but not invalid.

Could it be that your DNS has not propagated fully yet? Or that some of the DNS servers for your domain are serving different info to others? Try running dig against each of the ns servers for your domain in turn, looking at both the SPF record and the SOA record.

It's good practice to have both an SPF record and a TXT record with the same content.

mc0e
  • 5,866
  • 18
  • 31