DKIM Just won't validate

I’ve been using MailInABox for a good few years now but never really for important stuff. Now however I need it to run like a proper mailing service and it just won’t.

I have set it up on a new clean VM using Ubuntu 18.04 and MIAB v0.43. Mails get sent and received all right, but every single big provider puts them in Junk/Spam. So I’ve started looking into it, first with MXToolBox then with MailTester and things were all over the place. In a few hours I’ve managed to fix SPF and DMARC but DKIM just won’t work.

My setup isn’t as straight forward and simple so I’m thinking maybe I’m doing something wrong at the DNS level rather than the DKIM config.
I have my main domain “herc.tech”. My mail server (MIAB) and its PTR are at “mail.srv.herc.tech”. All of my other domains have their MX DNS record set at priority 50 and hostname “mail.srv.herc.tech”. I’m using an external BIND DNS Server that I’m managing myself instead of the one provided by MIAB but I have copied all the records as they are shown on the “External DNS” page to no avail.
It’s now been two days that I’ve spent trying to get DKIM to validate properly and all I get is invalid signatures.

My questions are as follow:
Is it right that MIAB tells me to put the exact same DKIM record to all my domains? My “herc.eu” and “herc.tech” and “herc.me” are all supposed to have the same “mail._domainkey.” entries based on the “External DNS” page.
Is there some internal tool (MIAB or Linux) I can use to check the validation works?
Would relying on MIAB’s DNS fix this issue? ( I don’t want to do it but if I have no alternative I will )

I’ve tried using custom key values for the private and public keys on the DKIM config and in the DNS record my modifying DKIM’s KeyTable but somehow it got reset.

Example Record:
IN MX 50 mail.srv.herc.tech.
herc.me. IN TXT “v=spf1 mx -all”
_dmarc.herc.me. IN TXT “v=DMARC1; p=quarantine;”
mail._domainkey.herc.me. IN TXT (
“v=DKIM1; h=sha256; k=rsa; s=mail; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A”
“MIIBCgKCAQEAzOUjeUB4/hoiWhtaDTMfswQBLqTeNqn7BGhcvPTJQpeiu4DYKlyN”
“tsqypTSb+1fhSamIKaNo129y4xQ1r7EAVs2nXQf9cSxA1QtuEOftXobw37k5RDxkLhJ”
“Xv47wWXMnhZRhxdfbZOreunOMnAHqohT59Lw/2oc7hjGdmVLKwMHVnq63qqYj7c”
“f3XD13joFwUMXQqPdkVY39k9RB7dixMm6ExA6/E/MCnACST3nkeUJxCxafzK733e”
“OtVxwbJIdcshV5O/naa+GA5DQ3AynY8eZn2/YxJWprZuz/GtIhCi28HqptMjbKriesWV”
“a31+YCjkAUZ2LqTs1WnU/zkFBjQQIDAQAB”
)

Any help would be great, thank you!

Hi Herc,

Let’s maybe attack this from a different angle … rather than relying on MiaB DNS as you seemingly would prefer to not go down that path … what if you treated the MiaB as a ‘hidden master’ and used AXFR to send the zone files to your live master?

Anyways … that was just the first obscure thought that came to mind. Let me poke around your DNS and see if I see anything obvious.

Yeah. I am not fond of it either, but that is how MiaB does it.

Ok, so I am seeing that you are serving the dns from the MiaB using BuddyNS as the secondaries. I question how you have done it exactly as when done as per the norm, there is no ns2 at your hostname … can you elaborate? Also is the DNS at a corrected state, or is this where you are getting DKIM errors? iow, have you changed things since your OP? @HercDotMe

Thanks for your help. I am not using MIAB’s DNS. I have my own server that has it’s own IPs for DNS and that is a small VM with just bind9 on it.

The MIAB box will reply to DNS queries since I couldn’t figure out how to disable the dns server on that box but it is not referenced in my DNS configs and as such no one will ask it anything plus my authority is set to be ns1.srv.herc.tech and ns2.srv.herc.tech for all my domains wchich as I said previously, is an entirely different box.

I haven’t done any changes since my first post. DKIM is still not working (I was hoping it might be a DNS propagation issue).

Sorry, I misread DNS when I looked earlier. You have name servers and mail on same third level subdomain and I misread that. … I’ll look again in a couple of hours.

@HercDotMe

Ok, I have had time to look at things a bit and have reached a conclusion.

You are not publishing a valid DKIM key in DNS. The formatting of your post does not make it obvious … but once a dig is done it is obvious as day.

Your DKIM key is two strings … but it appears that you have it broken into several. 5 to be exact. Even my repost of it does not make it obvious. You need to look at it in a terminal.

;; ANSWER SECTION:
mail._domainkey.herc.tech. 3575 IN TXT “v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA” “zOUjeUB4/hoiWhtaDTMfswQBLqTeNqn7BGhcvPTJQpeiu4DYKlyNtsqypTSb+1fhSamIKaNo129y4xQ1r” “7EAVs2nXQf9cSxA1QtuEOftXobw37k5RDxkLhJXv47wWXMnhZRhxdfbZOreunOMnAHqohT59Lw/2oc7hj” “GdmVLKwMHVnq63qqYj7cf3XD13joFwUMXQqPdkVY39k9RB7dixMm6ExA6/E/MCnACST3nkeUJxCxafzK7” “33eOtVxwbJIdcshV5O/naa+GA5DQ3AynY8eZn2/YxJWprZuz/GtIhCi28HqptMjbKriesWVa31+YCjkAU” “Z2LqTs1WnU/zkFBjQQIDAQAB”

I SHOULD be able to query ns1.mail.srv.herc.tech for the correct DKIM key, but it is timing out.

So, the proper course of action is to redo the entries in the zone files properly. What tool do you use to manage your zone files on your DNS server?

No. There is no ns1.mail.srv.herc.tech. I am NOT using MIAB’s DNS. My name servers are ns1.srv.herc.tech and ns2.srv.herc.tech both hitting a BIND9 box.
My email server, MIAB box, lives at mail.srv.herc.tech.
The record is split into multiple strings because a single record would exceed the 255 char limit on a TXT record and cause my entire DNS server to stop. The way I’ve done it, using parantheses to encapsulate all the strings, means I can have as long a TXT record as I want given that I don’t exceed 255 char in each of those lines. Maybe that’s what’s wrong with it?

Here’s the thing that made me think it’s ok to split it like this: https://help.directadmin.com/item.php?id=552

Exactly.

I understand that … you are not following. NSD on MiaB should always be running and it should always return the values even if it is not the authoritative server. Let me dig it again using a different host…

How are your zone files stored? In a database, or as flat files? That example is for DirectAdmin which is storing the zone files in a database.

There is a format for entering long TXT record entries … it does not use parenthesis.

1 Like

So let me break it down, I have multiple domains (replace _ with a dot, MIAB’s forum is being weird):
herc_me -> my blog
herc_eu -> my blog again (to be removed soon)
herc_work -> my portfolio
herc_tech -> my consultancy
kilnir_com -> my game’s page

mail.src.herc.tech -> MIAB box (Won’t answer DNS as it is firewalled) - MailServer
ns1.srv.herc.tech -> BIND9 Box - NameServer
ns2.srv.herc.tech -> Same BIND9 box - NameServer

All of these domains have the same name servers, ns1.srv.herc.tech and ns2.srv.herc.tech served from my BIND9 DNS Box.
All of these domains have the same MX record, mail.srv.herc.tech, where MIAB lives.
I have then multiple accounts and aliases setup in MIAB for each domain.
I can send and receive emails on all my addresses it is just that when I send them first, not replying to emails, my messages end up in SPAM/Junk. I have then started looking into it and it came up that it’s because DKIM isn’t configured correctly because as I said before I managed to get SPF and DMARC to run properly.

My zone files all live in the machine at ns1.srv.herc.tech, they’re files within the BIND9 config directory.
I have tried using a single TXT record to store the DKIM key but as it exceeds 255 characters, BIND9 won’t start or apply the changes to that zone.
More resources on the topic of TXT records:


I’ve done an update and removed the parantheses from the zone, keeping it to multiple strings encapsulated by ", on the same line and separated by spaces.

When going to this checker and putting in herc_me (again, replace _ with dot) and mail as the dkim key, you can see that it returns a single string for DKIM record.

I have then tried checking DKIM using this tool and now it says DKIM is valid!

Thank you so much, it is working now!

Yay! Glad to hear!

Again, sorry for the confusions.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.