[ignore error] Question on dkim setup

I have configured dkim, spf and dmarc dns entries, and a receiving mailserver’s rspamd states that dkim verification succeeded (R_DKIM_ALLOW Symbol green with -0.2 score), so everything seems setup correctly. But in nethserver cockpit I see:


What could here be the problem? I copied the dkim entry and created a corresponding TXT record at my provider. The host entry is default._domainkey.ourdomain.com and the rest was pasted from dkim configuration on my nethserver. The .ourdomain.com suffix is created automatically upon saving the new TXT record even if I only want to have default._domainkey, as proposed within nethserver after saving it becomes default._domainkey.ourdomain.com. I asked my provider if it is possible to have it saved without this and they say no.

@devs It would already help to know, if we are using opendkim or rspamd dkim mechanism to debug this. Any idea, what could here be wrong?

You have to configure dkim to your dns provider, there is nothing to do on nethserver.

We use opendkim

Well, I have done that already. I’ll have a look @opendkim configuration then…

I had the same problem once. It turned out I missed 1 character in the DNS settings of my domain registrar. Can you doublecheck if the string in the txt record of your domain registrar DNS settings is EXACTLY the same as the string provided by NethServer?

This much is correct, and your DNS host is exactly right–any records you’d be creating would be within your own ourdomain.com zone. And that’s what DKIM should be looking for, too.

Thanks for confirmation about setting the domainkey the way it should be danb35.

I double-checked, that there is no typo, and even re-copy/pasted it.

Now the strange thing is if I send a mail from my nethserver to my private mailserver, I can see that dkim passes but as in my dns I have set dmarc rule set to strict, it seems incorrect that I see in the mailheader c=relaxed/relaxed which is not what I would expect. Thus I believe there maight be an old configuration active?

How could I uninstall/reinstall opendkim correctly including deleting its configuration, in order to be sure there is no old configuration coming inbetween?

Or I could send a mail, if someone experienced is willing to check the mailheader?

Check out www.mail-tester.com–they do DKIM checks among others.

Thanks, I did test mentioned site and all looks good. Score8.2 of 10, dkim signature valid, passed spf and dmarc too. So I guess, maybe I should ignore the initially mentioned error in nethserver.

-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This rule is automatically applied if your email contains a DKIM signature but other positive rules will also be added if your DKIM signature is valid. See immediately below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Wunderbar! Ihre Signatur ist gültig.
0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author’s domain
Großartig! Ihre Signatur ist gültig und sie kommt von der Domain
0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain
-1.985 PYZOR_CHECK Similar message reported on Pyzor (http://pyzor.org)
Testen Sie einen echten Inhalt, Test Newsletter wird immer von Pyzor gekennzeichnet werden
Ihre Nachricht oder Anfrage weißen Listen einstellen (http://public.pyzor.org/whitelist/)

0.001 SPF_PASS SPF: sender matches SPF record
Wunderbar! Ihr SPF-Eintrag ist gültig.

Probably so. But that leaves the question of why it’s showing that error–and I’m not sure I can help there.

I’d love to help, but I don’t see what I could do either. Thanks anyway

this score could make your email goes to junk with suspicious remote SMTP