[SOLVED] DKIM signature is not valid


#1

I have migrated my MiaB to a different VPS. I am using DNS on the box.

I keep getting messages and test results showing that the DKIM signature is invalid. How do I correct this?

The other topics seem to focus on external DNS, but I am definitely using the MiaB DNS.


#2

Have you re-run setup after migrating the data? I am unsure of how to regenerate DKIM keys


#3

Yeah, I had to do it like 3 times to get everything seemingly in order … between the calendar and contact issue I posted about in another thread, this DKIM signature issue and notification that my DANE TLSA record is misconfigured I am kind of stumped.

I actually switched DNS away from my box to the registrar because of the DKIM and TLSA issues. I am not sure yet if this helped. But it seems that both the TLSA and DKIM are not matching DNS from the box … so this issue has become significantly more complicated…

When I ran the setup the first time, it seemed that there was an issue with a key … and when I ran my admin panel I installed a new LE cert for the box. It seemed odd to me at the time that the LE cert that was installed for box.domain.com needed to be replaced but the certificates for domain.com and www.domain.com were fine …


#4

Maybe there is an inconsistency between the digital signature and the published (public) key in the DNS record? You can check with any DKIM Validator online.

You can check DANE TLSA here.

If DNSSEC is enabled and you changed the “hardware”, pobably you have to resend the DNSSEC string to the registrar.


#5

Also remember it takes up to 48 hours for DNS changes (Especially GLUE records (nameserver records)) to take affect. So if you did this all in a span of 48 hours it’s like it was fine.


#6

This also is stumping me. Yes, I did change the ‘hardware’ but the registrar did not have DNSSEC enabled in the first place, so I provided the necessary information to them yesterday. Today, the DNSSEC changed … why? how? There were no changes initiated by me to the server after I did the initial set up and got things running.


#7

Yes, after the additional changes I made today due to the box’s DNS seemingly not being correct, I need to wait …


#8
  • Whats the result of the validators (see above)? Do you have solved the DKIM / DANE TLSA issue?

  • What you mean with “DNSSEC changed”? What and where exactly something changed?


#9

The DKIM validator link you provided said that it never received my emails after several attempts both yesterday and today …

I tried another random hit from Google http://dkimvalidator.com/ and it came back with the DKIM being valid however another portion of those results complains that my SPF records search results in a SERVFAIL error in DNS…

The DANE TLSA Validator says DNSSEC: Insecure Domain. and goes no further. I removed the TLSA record completely when I changed the DNS provider.

When I set up this new box, I had to change the glue record and at the time I did that, I noticed that the DNSSEC was not set up with the registrar so I copied the information from my box as provided in the System Status Checks page. The next day when I noticed that there were issues and ran a check using mail-tester.com the results showed that the DNSSEC was incorrect. My box then showed a different DNSSEC record to provide to the registrar. In this time period, I had changed nothing manually.


#10

Ok after 24 hours and switching DNS from the box to the registrar, things have gone even more downhill.

Using mail-tester.com I am getting a score of -3.8/10. Yes NEGATIVE. Yesterday using the box’s DNS at least I had a score in the positive. So it seems that switching to my registrar’s DNS made things worse. I had no choice because I could not find out how to remove the bad TLSA record from my box, so did the most logical thing at the time, eliminated it by changing DNS to a different provider. So, this whole episode of moving my box has seemingly turned into a colossal failure.


#11

After an online chat with the registrar the issue has been mostly resolved.

The box indicates that I am to enter a DS (DNSSEC) record with the registrar and I did so. THIS CANNOT BE DONE if using 3rd party DNS! This was preventing my DNS from propagating.


#12

Most probably your problem lies within DNSSEC & DNS propagation. You should make sure that you send the exact string on your box to the registrar and that you do not have anything in between (such as a proxy). If you use 3rd party DNS, guess you have to set up a sattelite system (would not recommend this here).


#13

I’d strongly recommend getting everything working without DNSSEC and then only adding DNSSEC at that point if you really want it. To turn off DNSSEC, have your registrar remove the DS record. (For reference, if there is no DS record, TLSA records are ignored and it doesn’t matter if a TLSA record is present or not.)


#14

@CorneliusLentulus As noted in the previous response, the DS record was supplied to the registrar as indicated on the status page but that was what was blocking propogation of DNS … as noted, you MUST NOT use the DS record (even though the status page tells you to do so) when using 3rd party DNS! This would likely be obvious to someone who is quite familiar with DNS but not necessarily so to the average user of MiaB.


#15

@JoshData Yes, the DS record was indeed the issue. Please see my previous comment. Thank you for the insight on the TLSA record!

I want to take this opportunity to thank @JoshData and all the others who have made this project a success!

And lastly, I’d like to recommend that a change be made to the status page so that there is either a note NOT to set the DS record (as recommended) when 3rd party DNS is used or that the noted verbiage be completely excluded when the status page detects 3rd party DNS being used.


#16

I think there may be an old issue on github already for this or something similar. If not, feel free to open an issue. Best would be to open a pull request with some actual changes to the code.


#17

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.