Having DKIM INVALID troubles, #2

I'm reposting this thread as the previous one was apparently too old for interest.

I have set up a DKIM TXT records at network solutions which is, in part:

Code:

Host      Domain Name  TLL Text
@ (None)  ohprs.org   1700 "v=DKIM1; k=rsa; p=MIGfMA0GCSqG ..."

I have verified with network solutions that the format of this TXT record is correct (but is it?). Doing a 'nslookup -type=TXT ohprs.org' does find the DKIM record.

I have configured opendkim.conf as:

Code:

Syslog                  yes
SyslogSuccess           yes

Canonicalization        relaxed/simple

Domain                  ohprs.org
Selector                hprsmail
KeyFile /etc/opendkim/hprsmail.private

Socket                  inet:8891@localhost

ReportAddress           sysadmin@ohprs.org
SendReports             yes

UserID opendkim:opendkim

opendkim is running in daemon mode.

There are no dkim messages in syslog or messages.

dkim is configured in sendmail:

Code:

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Using mxtoolbox.com, I've tried to validate this DKIM record using domain ohprs.org and selector hprsmail. It comes back with "DKIM Record Published, No DKIM Record found". Further details at mxtoolbox.com say,

Code:

Missing or Invalid Record

DKIM Records are published via DNS as a text(TXT) record using your selector. They should be published at:

selector._domainkey.domain.com

I have several hosts for which I'm trying to set up DKIM. All fail to verify with mxtoolbox.com and email headers also show DKIM failure. So, I'm pretty consistently doing something wrong. I've been trying things for month; now time to turn to the LQ experts for advice.

I've experimented with using hprsmail._domainkey.ohprs.org in place of the "@(None)" Host designation at networksolutions, but that hasn't worked. For one thing, I'm not sure what "_domainkey" is supposed to be. Is that literally "_domainkey"? If it is supposed to be substituted for something, what? For another thing, I'm not even sure the Host parameter is where that would go.

What am I doing wrong?

Hello "Mfoley",

This is the first time I have attemtped to assist on here for some time but I will do my best - I set up DMARC / DKIM for my domain literally a month or so ago so fingers crossed that my settings will work for you also.

Re:

Code:

 
Host      Domain Name  TLL Text
@ (None)  ohprs.org   1700 "v=DKIM1; k=rsa; p=MIGfMA0GCSqG ..."

Via my DNS host I have the following:

Code:

Type Text Subdomain default._domainkey Domain YourDomain.com Destination v=DKIM1; k=rsa; p=MIGfMA0GCSqG ... TTL  Set To Default Value

I am wondering if you are having issues because of a lack of a "subdomain" value above - if not then see the following for a copy of my opendkim.conf file.

Code:

PidFile	/var/run/opendkim/opendkim.pid

Mode	sv

Syslog	yes

SyslogSuccess	yes

LogWhy	yes

UserID	opendkim:opendkim

Socket	inet:8891@localhost

Umask	002

Domain	YourDomain.com

Selector	default

KeyTable	refile:/etc/opendkim/KeyTable

SigningTable	refile:/etc/opendkim/SigningTable

ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts

InternalHosts	refile:/etc/opendkim/TrustedHosts

OversignHeaders	From

In addition via /etc/opendkim/TrustedHosts:

Code:

# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
#host.example.com
192.168.1.0/24
Yourdomain.com

Essentially any IPs or hosts added above refer to trusted devices on the network that will be sending mail.

And /etc/opendkim/KeyTable:

Code:

default._domainkey.YourDomain.com YourDomain.com:default:/etc/opendkim/keys/YourDomain.com/default.private

It is very important to note that the value default._domainkey in the file /etc/opendkim/KeyTable above matches the entry via your DNS host i.e. Subdomain default._domainkey

Regards,

Rawcous

Rawcous: Thanks for that feedback. The first thing I've done is change my Host @ (none) to hprsmail._domainkey following your example. My opendkim.conf has "hprsmail" as the selector whereas you have "default". I'm assuming the "._domainkey" bit is literal in this case. I'll check tomorrow (after propigation) to see if this does anything.

In my opendkim.conf I did not have "Mode sv" as you do, but the man page says that's the default, so I haven't (yet) added that. I did add "logWhy yes".

I do not have the KeyTable file as you do. I have the KeyFile parameter instead. The man page specifies either a KeyFile or a KeyTable. I'll see how things go with the current KeyFile parameter -- no sense changing too many variables at once!

Nor do I have "InternalHosts" pointing to a file, but I do have it listing comma separated hosts and subnets -- although that is commented out at the moment. Again, trying to not change too much at once.

Thanks and I'll post back with results.

A bit late getting back to this thread, but the office Internet was down all weekend due to outside construction.

Anyway, it appears that changing the Host setting to hprsmail._domainkey worked! Now https://mxtoolbox.com shows the DKIM lookup for ohprs.org:hprsmail as VALID. I'm going to run some more tests to verify that the email headers show this as being valid, but confidence is high! Thanks for your advice.

After checking email headers, it looks like there is still a problem. Since mxtoolbox.com said the DKIM lookup was valid, perhaps this is now something related to Sendmail or permissions. Here's the relevant line in an email header sent from ohprs.org to novatec-inc.com:

Code:

Authentication-Results: server.novatec-inc.com;
        dkim=fail reason="signature verification failed" (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=PL6it57U

/var/log/debug has:

Code:

Jun  9 13:01:28 mail opendkim[8334]: 059H1R4j029018: no signature data

/etc/opendkim/hprsmail.private exists:

Code:

ls -l /etc/opendkim/
-rw------- 1 root root      887 2019-02-14 19:58 hprsmail.private

DKIM is running as user opendkim and the milter is configured in sendmail:

Code:

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Why is DKIM failing? Why "no signature data"? Does user dkim need read permission the hprsmail.private?

The actual server's FDQN is mail.ohprs.org. Does that matter?

This message was sent from root with -r noreply. I sent another from a normal user and there is no DKIM info in the header at all!

So confusing!

No ideas on this, eh?