I suffer from this problem from the very beginning, but I don’t get it. It doesn’t seem too complicated to implement, in fact nethserver makes it very easy. But I still get this error of records not matching.
Allthough I just copied from here:
And created the corresponding txt record in dns editor of registar
What additional infos could I provide to help find the source of this error and eliminate it?
The checks are done against contents of /etc/opendkim/default.txt. Can you check DKIM there?
does it match what you have set in your dns provider ?
differences are a line break and where the double quotes are. If someone can look at the regex (see source code) to see how it breaks down the dkim record for comparison… (I tried but my memory is rusty)
IIRC we break at 1024 bits, we provide a 2048 bits key, so if I recall correctly where we cut the key is important
Thanks for looking into it. Just tell me if I can provide additional info.
I remember that I had a paste error in the txt record at my domain provider. Turned out there was 1 character missing… :-/ took a while to figure out where I missed what character…
maybe a compare in 2 text files?
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=
Could it be the whitespace after ras; or before "p: ( k=rsa; " "p= )
the file has space, dig returns without space after ras;
I don’t know, all I can say is I used copy / paste. I need exact instructions on how to preceed. In my point of view that must be a bug as I tried multiple times without success.
Is there a way to recreate a new key without deleting the domain? I don’t want to delete the domain because it contains users with their settings, mailaccounts, group memberships and so on. Can maybe the /etc/opendkim/default txt be deleted or emptied and then a new record be somehow recreated? Or what would you suggest to get a correct dkim record to copy/paste in the dns zone?
What does mail-tester.com say about your DKIM signature? IOW, do you actually have the wrong key in your DNS records, or is it just a false positive on Neth’s end?
I think it is that.
No, but for reasons unrelated to DKIM:
The signature is fine. The problems are (1) empty message, (2) empty subject, and (3) SpamAssassin doesn’t like your TLD.
Ok, another test with some text in subject and mailbody:
…
So is this a bug?
And as a sidenode - what to do about unliked tld? Is it because of the ending .work? Its a legitimatelly registrered domain…
Much better.
Appears to be–Neth’s validation on this is overly picky, it seems.
Yes, the ending .work is the TLD (top-level domain). And I don’t know there’s anything directly you can do about it; SpamAssassin apparently has a history of bad experiences with that TLD. One can hope that, with time and good behavior from that TLD, the penalty with SpamAssassin will drop.
IMVHO… no.
this TLD has a bad reputation, you choose it and now you pay the “price”. But you can’t do nothing about that, unless you add one different.
Also, DKIM is considered valid from Mail-Tester…
Ok, I changed the category to bug then. Please tell me if I can provide something to help fixing this.
I dont talk about the .work domain - I can accept that no problem. But the dkim thing.
The SpamAssassin penalty for .work isn’t a bug, but Neth marking his DKIM record as invalid is.
Try to access from your computer to Mail-Validator link (my browsers requests italian pages)
Second option for Spamassassin: the DKIM signature is valid!
Yeah, I know–I posted that output above. That’s my point. The DNS record is valid, it does match the key on the Nethserver, but Neth is saying the record is invalid. That’s a bug.
I already asked: Is there a way to recreate a new key without deleting the domain? I don’t want to delete the domain because it contains users with their settings, mailaccounts, group memberships and so on. Can maybe the /etc/opendkim/default txt be deleted or emptied and then a new record be somehow recreated? Or what would you suggest to get a correct dkim record to copy/paste in the dns zone? Should I just leave it to the devs to have a fix for this? Tell me if I can provide something to locate the prob and fix it. Thank you all for loking into it and confirming correct dkim signature in sent mails for this domain.
