Koozali.org: home of the SME Server

DKIM fails with GMail

Offline Smitro

  • *
  • 349
  • +0/-0
DKIM fails with GMail
« on: June 05, 2021, 02:55:52 PM »
Hi all,
I'm trying to get DKIM to work properly. I've tested it with Outlook.com and it passes, if I send an email to Gmail, it show a DKIM fail.
https://www.mail-tester.com/ gives me a 9.8 score.
This is where the 0.2 is taken off.
-0.1   DKIM_INVALID   DKIM or DK signature exists, but is not valid
-0.1   DKIM_SIGNED   Message has a DKIM or DK signature, not necessarily valid
Further down in the results I do get: "Your DKIM signature is valid"
Full results here: https://www.mail-tester.com/test-462j69tzw
Can anyone help me, is this something common?
Let me know if you need more information.
.........

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM fails with GMail
« Reply #1 on: June 05, 2021, 05:29:12 PM »
Hmm.... I always get DKIM_SIGNED -1 as I think that is due to the 'relaxed' part.

But mine gives 0.1 DKIM_VALID

So something is a bit off somewhere.

Go back to the start and tell us how you got to this point. All the steps you took.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Smitro

  • *
  • 349
  • +0/-0
Re: DKIM fails with GMail
« Reply #2 on: June 10, 2021, 07:51:04 PM »
My server version is 9.2
I followed this guide.
https://wiki.koozali.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96
I enabled the signing.
I copied the output of
Code: [Select]
qpsmtpd-print-dns <domain name> into a text file. Made sure lines did not split onto the next row. (text wrap)
I then imported the file it into my DNS provider GoDaddy.
It uploaded without a problem and all records look in tact.
Since then I've tried changing the DMARC to
Code: [Select]
v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:dmarc-feedback@[my domain]; pct=100and remove the t=y off of the DKIM record, to see if it would help.
So far no joy.
.........

Offline Smitro

  • *
  • 349
  • +0/-0
Re: DKIM fails with GMail
« Reply #3 on: June 11, 2021, 08:46:16 AM »
According to this report, the public and the signature don't match.
https://mxtoolbox.com/deliverability/1d798e2e-77dd-4d10-8dfd-66341826be4a
Is there another way I can verify the config? Should I generate a new cert+key, if so How?
.........

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM fails with GMail
« Reply #4 on: June 11, 2021, 09:18:52 AM »
Think you can check the txt records with dig

Plenty of info out there.

I think you have got the key wrong in Godaddy.

Hence:

Quote
Public Key
   The syntax and semantics of this tag value before being encoded in base64 are defined by the (k) tag.
   The value is not in the right format

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: DKIM fails with GMail
« Reply #5 on: June 11, 2021, 10:17:52 AM »
default generated value is longer than what support most of the dns provider.

as a result you have to separate it in multiple field if the dns provider support it.

if you check the generated value of a less than 255 characters you will see that
Code: [Select]
default._domainkey IN TXT "v=DKIM1;p=CUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUTMEEEEEEEEEEEEEEEEE;t=y"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@mydomain.com; pct=100"


as the default key is longer than 255 the result is :
Code: [Select]
default._domainkey IN TXT "v=DKIM1;p=CUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUT""MEEEEEEEEEEEEEEEEE;t=y"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@mydomain.com; pct=100"
see the long chain is separated in two smaller one between " without newline.
if your dns provider does not offer plain text fill of zones, you might need to refer to his documentation on how to split your chain in their fields.
if they do not support long chain, then you need to modify sme config to create smaller keys, which are weaker

You might be lucky and your provider allow longer than 255 characters in their field and you simply pasted the whole chain with the "" in the middle, just remove them  and it will work.
« Last Edit: June 11, 2021, 10:23:22 AM by Jean-Philippe Pialasse »