DKIM-Signature header exists but is not valid


#1

I’m using my MiaB as my DNS, and under “External DNS” I see the following TXT record for mail._domainkey.userfrosting.com:

v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ltRGcNK7DsjtqQcb7Jt1a1GOsSgOGPiL6bfuxsTwxa7gxMr+a/S1tvK8ss7DlKtDbjhQ/p83/Sonpf6A8imFe8kmN6yriwEDQBWxCK5h5tuZ6jZeh4SfTua1p+wUF1G7H/5Pf1VJCsvK0IeNx1N9UpZ9ztRp4aXJKBIwXtICaK+JKstsUvJTvhYDmTswbtCl9Vuz+nWecdnb1yEIOwN/MEgg3fCte1pjdLZxZej7Pea1b5MQpMxQ5xGcsRKRj0IJZdg8vmNMpdzDetE0BIYVWkjY0RO16tMH47AKs5IGjKnO6GmOxmhk7fICPDiIBxRxgcODMvMHeJ/n5iurdHHoQIDAQAB

I believe that MiaB automatically created this when I added the domain. Unfortunately, this seems to be getting rejected for DKIM validation by multiple different servers:

Gmail:

Authentication-Results: mx.google.com;
       spf=neutral (google.com: xxx.xxx.xxx.xxx is neither permitted nor denied by best guess record for domain of kerrigan@userfrosting.com) smtp.mailfrom=kerrigan@userfrosting.com;
       dkim=temperror (no key for signature) header.i=@userfrosting.com
Received-SPF: neutral (google.com: xxx.xxx.xxx.xxx is neither permitted nor denied by best guess record for domain of kerrigan@userfrosting.com) client-ip=xxx.xxx.xxx.xxx;

dkimvalidator.com:

Public Key DNS Lookup
Building DNS Query for mail._domainkey.userfrosting.com
Retrieved this publickey from DNS: 
Validating Signature
result = invalid
Details: public key: not available

dkimcore.org:

DKIM Record for mail._domainkey.userfrosting.com
This is not a good DKIM key record. You should fix the errors shown in red.

DNS query failed for ‘mail._domainkey.userfrosting.com’:NXDOMAIN

A public-key (p=) is required

What’s going on here?


How to Define a DMARC Record with Custom Records for MIAB?
How to Define DKIM with Custom Records for MIAB?
#2

Apparently I was not using MiaB as my DNS provider after all. It turns out that I had created records for userfrosting.com in my MiaB, but in fact my registrar is set up to use my registrar’s DNS.

I have tried adding the DKIM record directly in my registrar’s DNS editor, but it would appear that they do not support 2048-bit public keys (which is what MiaB generates). So, I’ll need to either generate a 1024-bit key manually on my mail server, or migrate all my DNS records and use MiaB for this domain as well.

Either way, it’s going to be a pain in the butt…


#3

Actually, does MIAB generate 2048-bit DKIM keys? How would I be able to verify this?


#4

I was able to verify that my DKIM key is indeed 2048 bits. See this gist, which explains how to use openssl to decode your public key.

So, Namecheap (my DNS for this domain) will not currently support 2048-bit keys.


#5

Alright, I was able to generate a 1024-bit DKIM key on my MiaB server! Here’s how:

Creating the key

SSH into your MiaB server and go into your /etc/opendkim/ directory:

cd /etc/opendkim

Create a directory for your new key:

sudo mkdir keys && cd keys
sudo mkdir example.com && cd example.com

(Obviously, replace example.com with your domain)

Generate the new public/private key pair:

sudo opendkim-genkey --bits=1024 -s mail -d example.com

Notice that we’ve used the --bits flag to specify that we want a 1024-bit key! The -s tells us the “selector” to use, which is basically like a subdomain specially used by DKIM. I believe the convention is to just set this to mail. -d specifies our domain (again, replace with your domain).

This should create two files, mail.private and mail.txt in the directory.

Next, we need to update opendkim’s KeyTable to point to the private key, mail.private. Simply go back into your opendkim directory and edit the KeyTable file:

cd /etc/opendkim
sudo nano KeyTable

Each line in this file maps a domain to a path that contains the private key for that domain’s DKIM. Look for your domain. If it’s already there, update it, otherwise, create a new mapping. The mapping should look like:

example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

As you can see, this tells DKIM the location of the private key we just generated.

Now, we need to restart postfix and opendkim:

sudo service postfix restart
sudo service opendkim restart

Configuring the DNS record

You can grab the public key from /etc/opendkim/keys/example.com/mail.txt, which you will use to create your TXT record in your DNS provider (in my case, Namecheap). If you sudo cat /etc/opendkim/keys/example.com/mail.txt, you’ll see something like this:

mail._domainkey    IN    TXT    ( "v=DKIM1; k=rsa; "
      "p=<some really long string>" )  ; ----- DKIM key mail for example.com

This will need some cleanup before we can enter it into our DNS record. All we need are the three pieces v=DKIM1, k=rsa, and p=.... Put this all into one line:

v=DKIM1; k=rsa; p=<some really long string>

Now, add this as a TXT record in your provider’s DNS editing interface, with the host mail._domainkey:

Should be good to go! We can test with a few services:

Caveat: Mail-in-a-Box currently overwrites the KeyTable and SigningTable any time you fiddle with the Custom DNS settings. I have opened an issue about this, but it seems that in the meantime the workaround is to simply go back and fix your KeyTable after each time you mess with the Custom DNS settings.


#6

DKIMvalidator.com consistently says my DKIM is no good even when other sites say it is and opendkim-testkey say it is correct. It says “signature header invalid.”

The only think I can think of is that I do not have DSSEC enabled on the domain and this does result in a log event in opendkim-testkey. I wonder if that gives a result code to spamassassin on their setup for some reason.


#7

Were you ever able to solve your “signature header invalid” issue?


#8

Hello alexweissman!
I am trying to generate a DKIM signature, Yesterday I was following your tips and everything was ok.
Today I am trying to meassure my score http://www.mail-tester.com/web-5r1ah and it checks an error!
What is the error? Does the public key expire or something else?


#9

Unfortunately, it seems that MIAB periodically overwrites the KeyTable. See https://github.com/mail-in-a-box/mailinabox/issues/1160


#10

That’s true.
I re-generated the opendkim key and I did some test ([http://dkimvalidator.com]), the response was succesfull!
//------------------------------------------------------- start
DKIM Information:DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=museblock.com; s=mail;
t=1499795885; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=Date:From:To:Subject:From;
b=agHwt273aNNmKG0w1zOz3huD1BbtD8DtJeRv3814VneQix0yJFDbv0UF9JGFWUVmc
6f8FUfCbGG/H4GLTxUewNqqxLu7PQpXkwZ7cHbxoMfiIvMcj8rrMmTvNNQR9dCNqCk
+/P48x1BgtOiN+aSC5q5vP4taMRtRWLEGQe7ynrI=

Validating Signature
result = pass
Details:
//------------------------------------------------------- end

//------------------------------------------------------- start
SPF Information:


Result: pass (Mechanism ‘mx’ matched)
Result code: pass
//------------------------------------------------------- end
Message is NOT marked as spam

But, why when I try to send an email to "user@gmail.com", always the message appear in spam?

thanks


#11

I have same problem with “DKIM-Signature header exists but is not valid”, when I updated MIAB, I can’t send any email to Gmail :frowning:


#12

If you’re still struggling with 1024-bit DKIM key limits on an external DNS, you might want to consider using Cloudflare. You wouldn’t have to change your registrar, and they can read your current DNS records and automatically duplicate them on their own servers. Once you’re on Cloudflare, you can use the full 2048-bit DKIM key that MIAB generates.


#13

For me the error is: “Details: public key: OpenSSL error: too long” :[