I've set up dkim-filter on my mail server. I've set up postfix to use dkim-filter as the milter; However, I'm getting the following in my logs:
Jul 7 13:00:29 magni postfix/smtpd[6742]: connect from mail-vw0-f53.google.com[209.85.212.53]
Jul 7 13:00:29 magni postfix/smtpd[6742]: D0F802BC74: client=mail-vw0-f53.google.com[209.85.212.53]
Jul 7 13:00:29 magni postfix/cleanup[6756]: D0F802BC74: message-id=<....-....mail.gmail.com>
Jul 7 13:00:34 magni dkim-filter[7039]: D0F802BC74: key retrieval failed
Why am I getting that, and how can I stop it from happening?
In my experience this also happens if a mail is sent DKIM-signed, but the DNS isn't available or doesn't report the appropriate DKIM key. In order to fix this issue, I added to the bottom of /etc/dkim-filter.conf the line:
On-DNSError accept
Then:
service dkim-filter restart
Environment: Debian Squeeze, postfix, dovecot
The dkim-filter project has been abandoned for over 2 years now. Please use the updated and current opendkim package to provide this functionality. The same author who wrote dkim-filter forked it and it became the opendkim project, except now it has 2 years of bugfixes and enhancements. One of those enhancements was the ar library (asynchronous resolver, i.e. dns lookups), where multiple of these weird types of "unable to retrieve record" errors have been fixed.
Chances are that your distribution has current opendkim packages available. There is also a very good howto for Opendkim & Postfix integration.
Since this is an inbound connection it means you have misconfigured your dkim filter it is trying to sign instead of verify the message and cannot obtain the keys.
Some addition to Todd Lyons' and Marco Elestra's answers : OpenDKIM can be compiled to do its own DNS resolution (moreover with DNSSEC checking, like in Debian 9). So any firewall blocking outgoing DNS traffic from your mail server (port 53 for both TCP and UDP should be allowed) will impede key retrieval functionality.
Not specifically documented, but search for "resolver" on :