I'm setting up a CentOS server with the sendmail MTA to send DKIM-signed mail (sending domain is @brighter.do). I have succeeded in routing mails through the dkim milter; however, they arrive at my GMail account with dkim=fail authentication results and no further information. How do I begin to debug this (besides Googling 'debug failed dkim' and other such related terms)?
I used the config described in these instructions. The only additional config changes I made were adding my app user to /etc/mail/trusted-users, adding EXTRA_FLAGS=-R to /etc/sysconfig/dkim-milter, and switching Canonicalization to relaxed/relaxed (which didn't appear to change anything). I've verified that the key is 2048 bits using ssh-keygen -l -f app1. (It seems that a too-small key can cause GMail to reject a valid DKIM signature but that doesn't appear to be my problem.)
The contents of my relevant DNS records are:
APP1._DOMAINKEY.BRIGHTER.DO. TXT k=rsa; p=AAAAB3NzaC1yc2EAAAADAQABAAABAQC3pJ4UJW/KBQ2D6N/6kl37yqJ0F4NcKPGApyHw4wl2zohdOPp8rELvQnRgvmQUMu3hrgicD9W9LbnGx/CzakZAA4RcJk9kI51v+Y8L5j3lZURFC1ZIXoRFgfafyo31XN3rc+V0hNMXUGcxVI09oYtyS+2AuC9cULP4Nu030I3yYFd2NOwmKPY57PU3ybwGKEvuWsB/9PyWC6KVlULlkg7TB
APP1._DOMAINKEY.BRIGHTER.DO. TXT CwbMnGyavwIeoJpNlb1fINdDGWDAJvfTTpMGvIkQAehknbgBqL4IgciWQ/2xw6bMhma7MRJHzZsd7JfbNramQIpsxX6hZUkZja6HpoFJzBi1vbnLcM2n8Xhat/A1Q/F
_DOMAINKEY.BRIGHTER.DO. TXT o=~ [email protected]
The headers I'm getting are:
Delivered-To: [email protected]
Received: by 10.140.42.166 with SMTP id c35csp248278qga;
Wed, 23 Mar 2016 14:10:12 -0700 (PDT)
X-Received: by 10.98.72.213 with SMTP id q82mr7347661pfi.164.1458767412258;
Wed, 23 Mar 2016 14:10:12 -0700 (PDT)
Return-Path: <[email protected]>
Received: from DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM (outbound.brighter.do. [54.201.111.245])
by mx.google.com with ESMTPS id m22si6801929pfi.43.2016.03.23.14.10.12
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 23 Mar 2016 14:10:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 54.201.111.245 as permitted sender) client-ip=54.201.111.245;
Authentication-Results: mx.google.com;
dkim=fail [email protected];
spf=pass (google.com: domain of [email protected] designates 54.201.111.245 as permitted sender) [email protected]
Received: from DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM (localhost [127.0.0.1])
by DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM (8.14.4/8.14.4) with ESMTP id u2NLAB8k007870
for <[email protected]>; Wed, 23 Mar 2016 21:10:11 GMT
X-DKIM: Sendmail DKIM Filter v2.8.3 DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM u2NLAB8k007870
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brighter.do; s=app1;
t=1458767411; bh=HiluaVoCYKZyFY1h3gE73EqhCFuKBJzE8SqwhrLX5/c=;
h=Date:Message-Id:To:Subject:MIME-Version:From;
b=RfNNbBaAUNX+y3cdSqb+NkgC8GHa0wd/vV4LC72DQ8jbSWIHfqxZD6Qi3xGtKVnyU
2j9FDAtI7X1B7dsPuFIw9F5m+1YoFuV+/3vCQ/zsXxCoExwml7DrxnYuWI0e5MeKma
3K4T+R/tpNgKYVSU00RNCorLsvyia/fD8+wFTY4ZyoYOTZ4tK6gwcO4loPERiPAAOL
HI11YagXgreCk3efJXanF8Df9ALLmTZMjMLXHHIHnSsypzhtEXYmua+EWQEZzIiVis
paAmh9w8sRfeFww4PraRN7Caxznm51ZUIecdST29xRL276LsEgb5Nsy6TIEJyOov/N
7AilYKXwuotHg==
Received: (from ec2-user@localhost)
by DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM (8.14.4/8.14.4/Submit) id u2NLABrt007869;
Wed, 23 Mar 2016 21:10:11 GMT
Date: Wed, 23 Mar 2016 21:10:11 GMT
Message-Id: <201603232110.u2NLABrt007869@DUALSTACK.PROD-API-478862527.US-WEST-2.ELB.AMAZONAWS.COM>
To: [email protected]
Subject: Test message
X-PHP-Originating-Script: 500:PushComponent.php
MIME-Version: 1.0
From: Brighter <[email protected]>
Note: since I know almost nothing about e-mail admin, it's possible that I'm omitting some key details here. In that event please help me improve the question by mentioning what additional info would be useful - e.g., other config files to include.
I know this question is two months old, but it is a top Google search result for the subject so I figured it deserved an answer.
I don't know what your second and third TXT entries are for. I have DKIM working properly now and I only have a TXT entry similar to your first one.
I followed instructions from Digital Ocean when setting up DKIM on Ubuntu, but it didn't work properly right out of the box. I found this page to be very helpful in debugging my DKIM problem.
To verify that your DNS TXT entry is being read correctly, type the following on the linux command line:
I'm using GoDaddy for DNS and I didn't need the domain name as part of my domain key string. Instead, I just needed the subdomain portion in the name field, as follows:
(I'm using "mail" instead of "app1" to specify my domain key.)
I hope this helps anyone with a similar problem. Once you get DKIM working properly, you'll realize that it's not that confusing. Good luck!
Problem was you had 3 DNS records instead of one and did not use parentheses.
So now you see you have a single entry with two strings "". When adding DKIM records remember that one line is 255 characters. I tried to put all in one line and wondered why DKIM failed in google. In some webpanels you are limited to 255 chars. The trick is to use parentheses. Check if the system is not removing them. Good providers like OVH have a special input option for DKIM records. When you have a look on opendkim and follow the debian setup guide, than you notice the txt files you can use to set the dns records. They also contain the parentheses.
One more thought: look in the dmarc report always which selector is tested. Google for example, will tell you in the report. I created the dkim with another selector I thought.