Mar 3 09:18:02 mail opendkim[222]: 9F6806D06D: key retrieval failed (s=default, d=mydomain.tld): ‘default._domainkey.mydomain.tld’ record not found
Mar 3 09:18:02 mail opendmarc[221]: 9F6806D06D: SPF(mailfrom): mydomain.tld fail
Mar 3 09:18:02 mail opendmarc[221]: 9F6806D06D: mydomain.tld fail
indeed, default._domainkey.mydomain.tld is missing from DNS, but why? Is that expected? Can I create it manually?
host name is mail.mydomain.tld and
mail._domainkey.mydomain.tld exists in DNS.
from and to addresses is both from same server @mydomain.tld, and result is:
X-Spam-Report:
What version of Mailinabox are you using? Is there anything yellow or red in the status screen?
Try https://www.learndmarc.com/
And finally, are you using your box as DNS server or are you using external DNS?
A few days old v71a install
Status screen is all green, except “Web has been disabled …” because of custom A record on mydomain.tld
MIAB box is primary DNS and two secondary DNS servers is defined. Contents of all DNS servers is identical.
You did not say if MIAB supposed to make default._domainkey record automatically or not. For what exactly is it used anyway? rfc4871 do not say anything about “default” selector. Would be good to know if it is actually needed or not.
edit:
I may have discovered actual reason of my troubles. Some users still sending via old mail server and this triggers red flags in new one, including need to resolve default._domainkey record for some reason.
Yeah, I wasn’t sure what the selector is that MiaB uses. But you’ve already found the cause.
The selector is used by other mailservers to query the dns for the dkim key and with this it can check that the mail is signed by your mailserver.
correct me if I’m wrong, but by my understanding default selector is used to get key when mail is coming from server with nonrelated domain name to check if that mail is by any chance is properly signed.
Since random server is not allowed to send mail on behalf my domain anyway, then default selector is usually not needed.
But it may prove useful when recipient has forwarded mail to some other address and his mailserver will send my mail to the next server. Then that next server can check, that this mail was originated from my server.
My old server did have that record, and maybe is useful to have one after all.
There’s nothing special about a selector called default. It’s just a name.
If you look at a mail coming from your server, you’ll see the DKIM-Signature header. It contains an s= tag which tells the receiving mail server what the selector is. If the header says s=default, the receiving mail server will look at default._domainkey... in the DNS for the sender mail domain the key to check the dkim signature with.
For Mailinabox, the selector used is mail, your old server apparently used default, but that is not an official fallback mechanism. (which you already found from the mentioned rfc)