1

Topic: Gibberish for dkim signature in mail headers

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I've had an iRedMail server since 2016. Lately I've been plagued by bad deliverability so I went on to investigate. It turns out the message headers contain something completely different from my dkim keys.
• I get a pass for all domains (except for one, which is currently inactive) on amavisd-new testkeys
amavisd-new showkeys shows correct keys consistent with DNS records (truncated in the middle):

; key#2 2048 bits, i=dkim, d=domain.com, /var/lib/dkim/domain.com.pem
dkim._domainkey.domain.com.    3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyA7VGqqsfoyaIXDXYSAi"
  ...
  ...
  ...
  ...
  "TrvVOeuhdbTgF7HwRTwPTkQP7S2caXdqAIUwdIKw5lJ85HqLWSqPmXHtrLnHFygl"
  "BQIDAQAB")

dig -t txt dkim._domainkey.domain.com produces:

; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> -t txt dkim._domainkey.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;dkim._domainkey.domain.com.    IN    TXT

;; ANSWER SECTION:
dkim._domainkey.domain.com. 3600 IN    TXT    "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyA7VGqqsfoyaIXDXYSAi (...) TrvVOeuhdbTgF7HwRTwPTkQP7S2caXdqAIUwdIKw5lJ85HqLWSqPmXHtrLnHFyglBQIDAQAB;t=s;"

• Mail headers look completely different (quoted at full length):

 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domain.com; h=
    content-transfer-encoding:content-type:content-type:subject
    :subject:from:from:to:content-language:user-agent:mime-version
    :date:date:message-id; s=dkim; t=1651325590; x=1652189591; bh=kv
    /9lHvEANTbGkhklt21W0+65fXdhCyxjMUryoxl2jw=; b=UmQrnKpUv2ZeXZcX85
    njBYOV0TGMTKdcWcMn8DyK9W7BoEUSDKf0c5p3IDDXwLZ0KcB1eoo8O0t9JnzVc3
    IaQyvQPFys7O0GPf3TpSZz2w9LkBecJmhawIznqeDXqN2D0p4I70vTWhE93Awsws
    pM9+6gxivrRumfQNZsnUH4VEERcA5CQZndSAKytdC/vWrmqPSX9JpOt8fwm/w6/L
    qveLYbgVwvkLYiqsOBXKPdtpN6Dpq3K/eSJY8D0XJwBD4bhTKY+F7RsDY/YLxU8A
    0Q7Sw8N+37RpDnY/Po5GIbkOBFi2/CLyp7u/ly0+J5aW03JuqTtXRyb9j+FarfZg
    8o6g==

• A week ago it was yet different:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domain.com; h=
    content-transfer-encoding:content-type:content-type:subject
    :subject:from:from:to:content-language:user-agent:mime-version
    :date:date:message-id; s=dkim; t=1640155099; x=1641019100; bh=Hw
    Myja6rrGK2Ox0+v6o2UuhQExd7DMW8m0ZG4H1mkzw=; b=QsB5x1PlL/j7AXHHG4
    xcAoVf61dpE5DJk1loZ4mIAytZqATbhaQAhmKTOJAUi9Dl6nHnoy35Z0BLWRUv3a
    RIbZXE30J27Q1+lBE+am6mUnfKJCwuCLGa+775UrF4GnS6khcePOr88iZYCMoko5
    tmCNr+tAQxQ7gfr2N2wgaYTAXaraY378oUl0NeslCe8KGxh6seZKfyC9W7rMyJV/
    WPFc8qZya+KtGsm7rsV7wvQlqwVW02EoSE/kSnZGlGM4CVVqgX2iTTpEyjmtGHVx
    5UnxJkg15fQcJAMJL0DSTdkCLJCsPCXAYQJZbYJ+xa+aOJY8lLnpHTdseKXEtUKq
    Z3cQ==

• I have reviewed emails from 2016 to 2022. It seems I never had correct dkim keys in messages. Ive been given 'just generated, assumed good' at best.
Is there a way to get it working?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Gibberish for dkim signature in mail headers

It looks like this, in short: https://edu.cloud.webo.hosting/index.ph … AR47BfeELW

3

Re: Gibberish for dkim signature in mail headers

a domainkey doesnt have any spaces in between

4

Re: Gibberish for dkim signature in mail headers

Cthulhu wrote:

a domainkey doesnt have any spaces in between

Of course it doesn't. I acted in accordance with instructions: https://docs.iredmail.org/setup.dns.htm … im-record. I also checked specific instructions for OVH, where I keep this specific domain. I made gaps in the key in my post because I didn't want to publish the entire key. I'm not sure if keys should be protected from public view.

5

Re: Gibberish for dkim signature in mail headers

Nice, ppl always demand troubleshooting but refuse to give correct informations

6 (edited by alm 2022-05-01 18:31:13)

Re: Gibberish for dkim signature in mail headers

Akiba wrote:

I made gaps in the key in my post because I didn't want to publish the entire key. I'm not sure if keys should be protected from public view.

What needs to be published in DNS is the public part of the key-pair, the private part is to be kept secret but that does not show up as something to publish in DNS anyways.
The DKIM header in each mail is different and depends on the parts of the e-mail that are used to create the signature for. When you introduce a new DKIM key-pair you should always create a new selector, with the reason being that there could still be e-mails in transit which need to be verified using the previously used DKIM key. After more than (at least) a week, the old DKIM record could be removed from DNS.

You can test if DKIM works by sending an e-mail from your domain to GMail or Outlook.com mailbox and check the headers. It should show that DKIM has passed. If that passes, DKIM should be ok.

Without knowing the domain and selector in question it is kind of impossible to check what is wrong with your mail delivery and still more is to be known. You should also check SPF, DMARC and PTR setup.

7

Re: Gibberish for dkim signature in mail headers

@alm
The domain in question is przeklad.pl and I'm using the standard selector for iredmail.
Thank you for your comments and explaining some matters to me.
Still, there are errors in the reports from some well-known email checkers.

  • mxtoolbox.com reports that "Body Hash Did Not Verify"

  • dkimvalidator.com produces ambiguous information. On the one hand it gives a pass for DKIM signature, but in the SpamAssassin Score section I get:

 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid

 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
  • Google does give a dkim pass, albeit with a comment: 'just generated, assumed good'. I'm not sure what they really mean. The language suggests they're not even checking, just assume the signature is good based on something else.

8

Re: Gibberish for dkim signature in mail headers

dkimvalidator's scoring for a popular public email provider in Poland (wp.pl) looks a bit different

-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                            author's domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid

9

Re: Gibberish for dkim signature in mail headers

I have checked your DKIM public record and it seems valid.

I have also checked your SPF record and it uses capitals for IP4 and IP6, if you need to add ipv4 and ipv6 addresses, use ip4 and ip6 (no capitals!).

Your number of (name) lookups are small, and mail.east-central.eu resolves to the same ip4 and ip6 addresses. If mail.east-central.eu changes IP-addresses you will have to change the manually configured static IP-addresses, but if you only use the mx entry it will resolve correctly.
Also, there is no point in adding the same IP-addresses multiple times (what happens when using the include:east-central.eu).

In other words, you can change the SPF record into:
"v=spf1 mx -all"

About DMARC: your _dmarc.przeklad.pl record contains:
"v=DMARC1; p=reject; rua=mailto:<e-mail address for dmarc reports in your domain>"
The e-mail address is redacted to prevent spam, even though this address is published in DNS. A forum is much more likely to be scanned for e-mailaddresses for sending spam.

To use p=reject you must be absolutely sure that DKIM and SPF are working correctly and that your addresses are aligned. If you are not sure, like I think you are, you better change it into:
"v=DMARC1; p=none; sp=none; rua=mailto:<e-mail address for dmarc reports in your domain>"
Then you will receive reports, while the mail flow will just work. If you are absolutely sure that there are no 3rd parties that are allowed to send e-mail using your domain you can set it to:
"v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:<e-mail address for dmarc reports in your domain>"
Then, when everything works as expected (after some time), use:
"v=DMARC1; p=reject; sp=reject; rua=mailto:<e-mail address for dmarc reports in your domain>"

<e-mail address for dmarc reports in your domain> must ofcourse be the mailbox in your domain where you wish to receive the reports.

Next, you can test your mail with: https://www.mail-tester.com/

Hope this helps!

10

Re: Gibberish for dkim signature in mail headers

Your number of (name) lookups are small, and mail.east-central.eu resolves to the same ip4 and ip6 addresses. If mail.east-central.eu changes IP-addresses you will have to change the manually configured static IP-addresses, but if you only use the mx entry it will resolve correctly.
Also, there is no point in adding the same IP-addresses multiple times (what happens when using the include:east-central.eu).

mail.east-central.eu acts as mail server for przeklad.pl, so I thought it should be included

11

Re: Gibberish for dkim signature in mail headers

Currently, what I see is that mail.east-central.eu is the only mail-server for your domain. You have your MX record pointing to that server as well, so it's also the only server receiving mails. If you have another server which sends out mail for your domain, you should add it's address to the SPF record as well. Also make sure that other server also has a PTR record which resolves back to the same FQDN as the server.

12

Re: Gibberish for dkim signature in mail headers

alm wrote:

Currently, what I see is that mail.east-central.eu is the only mail-server for your domain. You have your MX record pointing to that server as well, so it's also the only server receiving mails. If you have another server which sends out mail for your domain, you should add it's address to the SPF record as well. Also make sure that other server also has a PTR record which resolves back to the same FQDN as the server.

I have followed your instructions. Thanks for your trouble. We Shall See!

13

Re: Gibberish for dkim signature in mail headers

I'm sorry, but you shouldn't put < > around the e-mail address where you want to receive the DMARC reports. I used those signs because it's common to use it in examples of commands when something else needs to be put there...

14

Re: Gibberish for dkim signature in mail headers

alm wrote:

I'm sorry, but you shouldn't put < > around the e-mail address where you want to receive the DMARC reports. I used those signs because it's common to use it in examples of commands when something else needs to be put there...

Done, thanks.

15

Re: Gibberish for dkim signature in mail headers

You have your MX record pointing to that server as well, so it's also the only server receiving mails.