Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: Smitro on June 05, 2021, 02:55:52 PM
-
Hi all,
I'm trying to get DKIM to work properly. I've tested it with Outlook.com and it passes, if I send an email to Gmail, it show a DKIM fail.
https://www.mail-tester.com/ gives me a 9.8 score.
This is where the 0.2 is taken off.
-0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
Further down in the results I do get: "Your DKIM signature is valid"
Full results here: https://www.mail-tester.com/test-462j69tzw
Can anyone help me, is this something common?
Let me know if you need more information.
-
Hmm.... I always get DKIM_SIGNED -1 as I think that is due to the 'relaxed' part.
But mine gives 0.1 DKIM_VALID
So something is a bit off somewhere.
Go back to the start and tell us how you got to this point. All the steps you took.
-
My server version is 9.2
I followed this guide.
https://wiki.koozali.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96
I enabled the signing.
I copied the output of
qpsmtpd-print-dns <domain name> into a text file. Made sure lines did not split onto the next row. (text wrap)
I then imported the file it into my DNS provider GoDaddy.
It uploaded without a problem and all records look in tact.
Since then I've tried changing the DMARC to
v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:dmarc-feedback@[my domain]; pct=100and remove the t=y off of the DKIM record, to see if it would help.
So far no joy.
-
According to this report, the public and the signature don't match.
https://mxtoolbox.com/deliverability/1d798e2e-77dd-4d10-8dfd-66341826be4a
Is there another way I can verify the config? Should I generate a new cert+key, if so How?
-
Think you can check the txt records with dig
Plenty of info out there.
I think you have got the key wrong in Godaddy.
Hence:
Public Key
The syntax and semantics of this tag value before being encoded in base64 are defined by the (k) tag.
The value is not in the right format
-
default generated value is longer than what support most of the dns provider.
as a result you have to separate it in multiple field if the dns provider support it.
if you check the generated value of a less than 255 characters you will see that
default._domainkey IN TXT "v=DKIM1;p=CUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUTMEEEEEEEEEEEEEEEEE;t=y"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@mydomain.com; pct=100"
as the default key is longer than 255 the result is :
default._domainkey IN TXT "v=DKIM1;p=CUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUT""MEEEEEEEEEEEEEEEEE;t=y"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@mydomain.com; pct=100"
see the long chain is separated in two smaller one between " without newline.
if your dns provider does not offer plain text fill of zones, you might need to refer to his documentation on how to split your chain in their fields.
if they do not support long chain, then you need to modify sme config to create smaller keys, which are weaker
You might be lucky and your provider allow longer than 255 characters in their field and you simply pasted the whole chain with the "" in the middle, just remove them and it will work.