My DKIM verification keeps failing, and I can't figure out why. It's signed though, but wrong.
When I check domain and selector it turns out as valid, so problem is with signing.
Here is a dump of one test email:
============================================================================
This is SPF/DKIM/DMARC/RBL report generated by a test tool provided
by AdminSystem Software Limited.
Any problem, please contact [email protected]
============================================================================
Report-Id: a511e572
Sender: [email protected]
Source-IP: 11.22.33.44
============================================================================
Original email header:
x-sender: [email protected]
x-receiver: [email protected]
Received: from host1.example.biz ([11.22.33.44]) by appmaildev.com with Microsoft SMTPSVC(8.5.9600.16384);
Wed, 25 Jan 2017 07:25:09 +0000
Received: from host1.example.biz (localhost [127.0.0.1])
by host1.example.biz (Postfix) with SMTP id DB0A3164364
for <[email protected]>; Wed, 25 Jan 2017 08:25:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
s=2016; t=1485329108;
bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
h=From:Subject:To:Date:From;
b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
6rQnOaNhmvSaQ==
From: "dule" <[email protected]>
Subject: d
To: [email protected]
Message-Id: <[email protected]>
X-Mailer: Usermin 1.690
Date: Wed, 25 Jan 2017 08:25:08 +0100 (CET)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="bound1485329108"
Return-Path: [email protected]
X-OriginalArrivalTime: 25 Jan 2017 07:25:09.0615 (UTC) FILETIME=[28C68FF0:01D276DC]
============================================================================
SPF: Pass
============================================================================
SPF-Record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Sender-IP:11.22.33.44
Sender-Domain:example.com
Query TEXT record from DNS server for: example.com
[TXT]: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Parsing SPF record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Mechanisms: v=spf1
Mechanisms: mx
Testing mechanism mx
Query MX record from DNS server for: example.com
[MX]: mail.example.com
Testing mechanism A:mail.example.com/128
Query A record from DNS server for: mail.example.com
[A]: 11.22.33.44
Testing CIDR: source=11.22.33.44; 11.22.33.44/128
mx hit, Qualifier: +
============================================================================
DKIM: fail
============================================================================
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
s=2016; t=1485329108;
bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
h=From:Subject:To:Date:From;
b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
6rQnOaNhmvSaQ==
Signed-by: [email protected]
Expected-Body-Hash: GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=
Public-Key: v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9jrAe+o1L/g0pQefC4AdVPmN2gS2ODghLhfzir0xKTBLl3U+2X33DCStxvHdaLJZYVlKu9PDwr5yXvX4izX5ZnM/gEIm2p3ij0ykQu7Phz6GUvBoozLGPM2876dEVuMZ/aZgqoC4BU8dXGIlif4mqyo6pM76gPwbcj9e98nY+NKJAdKpJV5fMO94wXZ/DjNjI4Sr6bWxrBOZZyh5Am9T/lbOgjjU26ejiroSw//MdXDNGBBp44llHSWEWuUfxamDHaR83UGqhV2gWLpJyrbJtp3Ic8nwuWc0Ko1fR7wbg+HW5OdF9WMf0Id2qTbKQlOSAzbz82Qh5Nj2RCBdBJ1hwIDAQAB;
DKIM-Result: fail (bad signature)
Here is a dump of opendkim.conf
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 2016
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
#Mode sv
#SubDomains no
#ADSPAction continue
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)
#ATPSDomains example.com
#SigningTable refile:/etc/dkim-signingtable
#KeyTable /etc/dkim-keytable
Actually it appears that above configuration and keys are OK, problem could have been with various tools for DKIM validation and google, that they are picking DNS changes with a delay.
I suggest doing DKIM tests 48hrs after you configure server.