DKIM signature and domainkeys failing

Question

I'm trying to setup DKIM for my server but there seems to be some problem with the DNS. I am using a windows server and plesk for the administration, my mail server is MailEnable standard and for my signature i use DkeyEvent. My emails are signed it can be observed in the port25.com check email, but when they try to check my dns for the TXT keys they cannot be found.

MY DNS SETUP IMAGE

This is the result i get when i try port25.com check utility.

This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          neutral
DomainKeys check:   permerror
DKIM check:         permerror
Sender-ID check:    neutral
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mail.metodovitalus.com
Source IP:      81.169.243.142
mail-from:      soporte@metodovitalus.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: None)
ID(s) verified: smtp.mailfrom=soporte@metodovitalus.com
DNS record(s):
    metodovitalus.com. SPF (no records)
    metodovitalus.com. TXT (no records)

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         permerror (DK_STAT_NOKEY: No public key available (permanent failure)
ID(s) verified: )
DNS record(s):
    soporte._domainkey.metodovitalus.com. TXT (no records)

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         permerror (no usable key records)
ID(s) verified: 
Canonicalized Headers:
    domainkey-signature:a=rsa-sha1;'20'q=dns;'20's=soporte;'20'd=metodovitalus.com;'20'c=nofws;'20'h=Received:Date:Message-ID:From:To:Subject:User-Agent:Content-Ty'20'pe:MIME-Version:Content-Disposition;'20'b=rnVOhfBdBkoGyx9jiBO5ZtL+IrQWPm+rXr'20'BRg+9LQUeExIQFDycKx8PWwSuBaWw+8VTqNGx+G0mCJnHaqoBV3Ztaoc+2SP5DLbWX4+a+01M'20'tbSzEyEnTnRDXru2lt3ex;'0D''0A'
    date:Fri,'20'04'20'Dec'20'2015'20'13:09:02'20'+0000'0D''0A'
    message-id:<20151204130902.Horde.0-5NDjKuirUbm3QYBIH_s5w@webmail.metodovitalus.com>'0D''0A'
    from:soporte@metodovitalus.com'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    subject:tes'0D''0A'
    user-agent:Horde'20'Application'20'Framework'20'5'0D''0A'
    content-type:text/plain;'20'charset=utf-8;'20'format=flowed;'20'DelSp=Yes'0D''0A'
    mime-version:1.0'0D''0A'
    content-disposition:inline'0D''0A'
    dkim-signature:v=1;'20't=1449234543;'20'a=rsa-sha1;'20'q=dns/txt;'20's=soporte;'20'd=metodovitalus.com;'20'i=soporte@metodovitalus.com;'20'c=relaxed/simple;'20'bh=Rn'20'cHNkkRgpHaoq2sZDSLD5ey4Pc=;'20'h=DomainKey-Signature:Date:Message-ID:From:'20'To:Subject:User-Agent:Content-Type:MIME-Version:Content-Disposition;'20'b=

Canonicalized Body:
    '0D''0A'
    test'0D''0A'


DNS record(s):
    soporte._domainkey.metodovitalus.com. TXT (no records)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: None)
ID(s) verified: header.From=soporte@metodovitalus.com
DNS record(s):
    metodovitalus.com. SPF (no records)
    metodovitalus.com. TXT (no records)

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result:         ham  (-1.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                            domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
 0.0 BODY_SINGLE_WORD       Message body is only one word (no spaces)

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: <soporte@metodovitalus.com>
Received: from mail.metodovitalus.com (81.169.243.142) by verifier.port25.com id hc687420i3gj for <check-auth@verifier.port25.com>; Fri, 4 Dec 2015 08:09:06 -0500 (envelope-from <soporte@metodovitalus.com>)
Authentication-Results: verifier.port25.com; spf=neutral (SPF-Result: None) smtp.mailfrom=soporte@metodovitalus.com
Authentication-Results: verifier.port25.com; domainkeys=permerror (DK_STAT_NOKEY: No public key available (permanent failure)) header.From=soporte@metodovitalus.com
Authentication-Results: verifier.port25.com; dkim=permerror (no usable key records) 
Authentication-Results: verifier.port25.com; sender-id=neutral (SPF-Result: None) header.From=soporte@metodovitalus.com
DKIM-Signature: v=1; t=1449234543; a=rsa-sha1; q=dns/txt; s=soporte;
  d=metodovitalus.com; i=soporte@metodovitalus.com; c=relaxed/simple; bh=Rn
  cHNkkRgpHaoq2sZDSLD5ey4Pc=; h=DomainKey-Signature:Date:Message-ID:From:
  To:Subject:User-Agent:Content-Type:MIME-Version:Content-Disposition;
  b=PDElxguhKpGUcDjKe7mlYvugpQj33fbafWIp3/VRHzZRG4SoqJK7RqRh/2CVLyyVtLL88sY
  ZvA/ZcI9FWfWs3eGWPgWlf0sQsX+jXh9OtADsMzF6JI+3/d/x75wIYRYr
DomainKey-Signature: a=rsa-sha1; q=dns; s=soporte; d=metodovitalus.com;
  c=nofws; h=Received:Date:Message-ID:From:To:Subject:User-Agent:Content-Ty
  pe:MIME-Version:Content-Disposition; b=rnVOhfBdBkoGyx9jiBO5ZtL+IrQWPm+rXr
  BRg+9LQUeExIQFDycKx8PWwSuBaWw+8VTqNGx+G0mCJnHaqoBV3Ztaoc+2SP5DLbWX4+a+01M
  tbSzEyEnTnRDXru2lt3ex;
Received: from localhost ([127.0.0.1]) by home with MailEnable ESMTP; Fri, 4 Dec 2015 14:09:02 +0100
Received: from 84.127.223.103 ([84.127.223.103]) by
 webmail.metodovitalus.com (Horde Framework) with HTTP; Fri, 04 Dec 2015
 13:09:02 +0000
Date: Fri, 04 Dec 2015 13:09:02 +0000
Message-ID: <20151204130902.Horde.0-5NDjKuirUbm3QYBIH_s5w@webmail.metodovitalus.com>
From: soporte@metodovitalus.com
To: check-auth@verifier.port25.com
Subject: tes
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline


test

So if use dig to check the results we have this, this way i can check my dns entries and we can se the domainkey:

$ dig soporte._domainkey.metodovitalus.com TXT @ns1.metodovitalus.com

; <<>> DiG 9.8.5-P1 <<>> soporte._domainkey.metodovitalus.com TXT @ns1.metodovitalus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33529
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;soporte._domainkey.metodovitalus.com. IN TXT

;; ANSWER SECTION:
soporte._domainkey.metodovitalus.com. 86400 IN TXT "p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALZZsTIN8w5aUNPveTYvdSOeMOmcS93tMnSfangO4Dgv4PiTW0Qyq+x/NocNIukhElVbCsMeWTFPXDnizSkUD//2FG7S7RvPN97Fcy6eAAtxNtTXvvIbFDY+Ieizlnf0RwIDAQAB"

;; Query time: 66 msec
;; SERVER: 81.169.243.142#53(81.169.243.142)
;; WHEN: Fri Dec 04 14:40:03 CET 2015
;; MSG SIZE  rcvd: 237

But when i execute this one, when i try to check the domainkey this way i get this message:

$ dig soporte_domainkey.metodovitalus.com TXT

; <<>> DiG 9.8.5-P1 <<>> soporte_domainkey.metodovitalus.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39370
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;soporte_domainkey.metodovitalus.com. IN    TXT

;; AUTHORITY SECTION:
metodovitalus.com.  1257    IN  SOA ns.stratoserver.net. hostmaster.stratoserver.net. 2015111024 10000 3000 604800 1800

;; Query time: 37 msec
;; SERVER: 62.81.16.164#53(62.81.16.164)
;; WHEN: Fri Dec 04 14:37:37 CET 2015
;; MSG SIZE  rcvd: 119

Thank you.

I've removed spf from the tags and title as I don't think the question has anything to do with SPF. — MadHatter, Dec 04 '15 at 14:08

score 1 · Accepted Answer · answered Dec 04 '15 at 14:07

The listed nameservers for your domain are

[me@risby financial]$ whois metodovitalus.com
[Querying whois.verisign-grs.com]
[Redirected to whois.cronon.net]
[Querying whois.cronon.net]
[whois.cronon.net]
...
Name Server: ns.stratoserver.net
Name Server: ns2.stratoserver.net

Neither of these is the nameserver you're querying above:

[me@risby financial]$ dig ns.stratoserver.net
;; ANSWER SECTION:
ns.stratoserver.net.    1746    IN      A       81.169.163.40
[me@risby financial]$ dig ns2.stratoserver.net
;; ANSWER SECTION:
ns2.stratoserver.net.   1741    IN      A       81.169.148.41
[me@risby financial]$ dig ns1.metodovitalus.com
;; ANSWER SECTION:
ns1.metodovitalus.com.  1732    IN      A       81.169.243.142

So it looks to me like you're publishing your records on the wrong nameserver. Fix your listed servers via your registrar, or put your zone on the listed nameservers.

Sorry for my late response. The problem was with my vps-domain provider, in the end i couldn't edit those dns records, because my provider had them locked i had to get an other domain package where i had more options. — Nikomac, Feb 29 '16 at 15:10

DKIM signature and domainkeys failing

1 Answers1