Yeah, I had to do it like 3 times to get everything seemingly in order … between the calendar and contact issue I posted about in another thread, this DKIM signature issue and notification that my DANE TLSA record is misconfigured I am kind of stumped.
I actually switched DNS away from my box to the registrar because of the DKIM and TLSA issues. I am not sure yet if this helped. But it seems that both the TLSA and DKIM are not matching DNS from the box … so this issue has become significantly more complicated…
When I ran the setup the first time, it seemed that there was an issue with a key … and when I ran my admin panel I installed a new LE cert for the box. It seemed odd to me at the time that the LE cert that was installed for box.domain.com needed to be replaced but the certificates for domain.com and www.domain.com were fine …
This also is stumping me. Yes, I did change the ‘hardware’ but the registrar did not have DNSSEC enabled in the first place, so I provided the necessary information to them yesterday. Today, the DNSSEC changed … why? how? There were no changes initiated by me to the server after I did the initial set up and got things running.
The DKIM validator link you provided said that it never received my emails after several attempts both yesterday and today …
I tried another random hit from Google http://dkimvalidator.com/ and it came back with the DKIM being valid however another portion of those results complains that my SPF records search results in a SERVFAIL error in DNS…
The DANE TLSA Validator says DNSSEC: Insecure Domain. and goes no further. I removed the TLSA record completely when I changed the DNS provider.
When I set up this new box, I had to change the glue record and at the time I did that, I noticed that the DNSSEC was not set up with the registrar so I copied the information from my box as provided in the System Status Checks page. The next day when I noticed that there were issues and ran a check using mail-tester.com the results showed that the DNSSEC was incorrect. My box then showed a different DNSSEC record to provide to the registrar. In this time period, I had changed nothing manually.
Ok after 24 hours and switching DNS from the box to the registrar, things have gone even more downhill.
Using mail-tester.com I am getting a score of -3.8/10. Yes NEGATIVE. Yesterday using the box’s DNS at least I had a score in the positive. So it seems that switching to my registrar’s DNS made things worse. I had no choice because I could not find out how to remove the bad TLSA record from my box, so did the most logical thing at the time, eliminated it by changing DNS to a different provider. So, this whole episode of moving my box has seemingly turned into a colossal failure.
Most probably your problem lies within DNSSEC & DNS propagation. You should make sure that you send the exact string on your box to the registrar and that you do not have anything in between (such as a proxy). If you use 3rd party DNS, guess you have to set up a sattelite system (would not recommend this here).
I’d strongly recommend getting everything working without DNSSEC and then only adding DNSSEC at that point if you really want it. To turn off DNSSEC, have your registrar remove the DS record. (For reference, if there is no DS record, TLSA records are ignored and it doesn’t matter if a TLSA record is present or not.)
@CorneliusLentulus As noted in the previous response, the DS record was supplied to the registrar as indicated on the status page but that was what was blocking propogation of DNS … as noted, you MUST NOT use the DS record (even though the status page tells you to do so) when using 3rd party DNS! This would likely be obvious to someone who is quite familiar with DNS but not necessarily so to the average user of MiaB.
@JoshData Yes, the DS record was indeed the issue. Please see my previous comment. Thank you for the insight on the TLSA record!
I want to take this opportunity to thank @JoshData and all the others who have made this project a success!
And lastly, I’d like to recommend that a change be made to the status page so that there is either a note NOT to set the DS record (as recommended) when 3rd party DNS is used or that the noted verbiage be completely excluded when the status page detects 3rd party DNS being used.