Discover Centmin Mod today
Register Now

Email DKIM issues

Discussion in 'Domains, DNS, Email & SSL Certificates' started by SFLC, Dec 20, 2016.

Tags:
  1. SFLC

    SFLC Active Member

    223
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    7:12 AM
    1
    10
    i have an issue


    i keep getting
    DKIM: UNKNOWN with domain null
    in message sources when looking at them in gmail

    ive tried to make a few changes to postfix's main.cf but it doesnt resolve it, no matter what website i use to check my spf, dmarc and dkim it says everything is valid. my emails arent going into junk mailboxes for the most part but im hoping someone here may have experience in dealing with this.

    this only started recently and everything was fine before, so im not sure what happened
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    maybe you messed up the changes ? hard to know

    Unfortunately, you'd be on your own. You could try a new test vps install and try sending emails with no other manual postfix edits and see if you get same problem. Then compare postfix configurations and diagnose
     
  3. SFLC

    SFLC Active Member

    223
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    7:12 AM
    1
    10
    it was just a change to myorigin and mydomain and theyre back to the way they were, dkim is so flakey from the looks of it.

    in your experience how important is dkim anyway
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. SFLC

    SFLC Active Member

    223
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    7:12 AM
    1
    10
    Well thats interesting, resolved it, by adding 2nd dmarc and dkim keys (dupes of the first ones) with .blahblah (first part of my hostname) in dns, then copied the keys from open dkim into a new directory and edited the default.txt to reflect the name, and restarted opendkim

    im glad its resolved, but its definitely flakey
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    interesting solution !
     
  7. SFLC

    SFLC Active Member

    223
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    7:12 AM
    1
    10
    strange though, back to back email from command line, 50% rate of dmarc failure :cautious:, which to me doesnt even make any sense

    i wonder if there are any bugs in opendkim
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    best way to rule it out is you could try a new test vps install and try sending emails with no other manual postfix edits and see if you get same problem. Then compare postfix configurations and diagnose
     
  9. SFLC

    SFLC Active Member

    223
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    7:12 AM
    1
    10
    ill definitely try that out, thanks for your help, if i can get something working and can guarantee it through results ill write a guide for it and post it on this forum. this subject has been hard for me to grasp and im sure others might be or will be in the same boat at some point
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    well with any learning, practice and more practice is key :D

    and you learn more from making mistakes and learning from them ;)
     
  11. MaximilianKohler

    MaximilianKohler Member

    200
    6
    18
    Jun 23, 2023
    Ratings:
    +33
    Local Time:
    9:12 PM
    Not sure if I should create a new thread for this, but after switching to Alma9 I've been having an issue where DKIM works when I first set it up and then stops working.

    I checked all the troubleshooting steps here https://community.centminmod.com/threads/dkim-issues-for-mydomain-com.10680/#post-45676. The only thing I see that may be off is that "cat /etc/opendkim/TrustedHosts" doesn't have my server's IPV4 and IPV6 IPs. But I'm not sure that they're even supposed to be in there, and it does have my "main.hostname.com".

    I ran
    Code:
    /usr/local/src/centminmod/addons/opendkim.sh clean
    and it was working, and now it's not. I haven't changed anything.

    I ran:
    Code:
    systemctl restart NetworkManager.service
    systemctl restart postfix.service
    
    Then the DKIM test email again, and it didn't change anything.
     
    Last edited: Jul 24, 2024
  12. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. MaximilianKohler

    MaximilianKohler Member

    200
    6
    18
    Jun 23, 2023
    Ratings:
    +33
    Local Time:
    9:12 PM
    I'm testing it with the command here
    https://community.centminmod.com/threads/automated-dkim-setup-with-opendkim.7011/.
    Code:
    echo "dkim test today `date`" | mail -s "dkim test `date`" email@domain.com
    Sending to a gmail address, and checking the headers in the "Show original" page.

    I'm also routing my emails through cloudflare.
    Code:
    https://dash.cloudflare.com/xxx/domain.com/email/routing/overview
    SPF status
    pass
    DMARC status
    pass
    DKIM status
    none
    
    Yes, they're not proxied.
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you're routing emails through Cloudflare do they have their own DKIM/SPF separate from Centmin Mod server's
     
  15. MaximilianKohler

    MaximilianKohler Member

    200
    6
    18
    Jun 23, 2023
    Ratings:
    +33
    Local Time:
    9:12 PM
    The ones that come "from Cloudflare to my gmail" are fully authed with DKIM. The ones from my server to Cloudflare are the ones shown at
    Code:
    https://dash.cloudflare.com/xxx/domain.com/email/routing/overview
    , and do not have DKIM.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah you wouldn't have DKIM with emails routed from Cloudflare as it's only incoming emails and not outbound. The Centmin Mod DKIM at https://community.centminmod.com/threads/automated-dkim-setup-with-opendkim.7011/ is only for emails sent from the server which is evaluated on server's main hostname DNS records from Getting Started Guide step 1 Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS, AlmaLinux, Rocky Linux as outlined at https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/
     
  17. MaximilianKohler

    MaximilianKohler Member

    200
    6
    18
    Jun 23, 2023
    Ratings:
    +33
    Local Time:
    9:12 PM
    Yes, I know that. I don't think you're understanding the issue. I am only referring to the emails my server is sending from my main hostname, which is not proxied by Cloudflare, etc. You can ignore the whole
    Code:
    https://dash.cloudflare.com/xxx/domain.com/email/routing/overview
    thing if you're not familiar with it. It simply gives me a way to see if my server emails are passing SPF, DKIM, and DMARC without using something like Gmail's headers in the "Show original" page.

    Cloudflare applies its own signing with DKIM, etc. when it forwards my server emails to my Gmail. The issue is my "server emails TO Cloudflare/anywhere" are not being DKIM signed.

    As I said, it works normally when I first set it up via
    Code:
    /usr/local/src/centminmod/addons/opendkim.sh clean
    then it stops at some point without me changing anything.
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    After server sent emails, check server mail log for clues at /var/log/maillog
     
  19. MaximilianKohler

    MaximilianKohler Member

    200
    6
    18
    Jun 23, 2023
    Ratings:
    +33
    Local Time:
    9:12 PM
    Well, I see that Cloudflare is now rejecting my emails due to lack of DKIM. I also see
    Code:
    Jul 24 19:42:38 hostname postfix/cleanup[142544]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
    The result of the DKIM test command is:
    Code:
    Jul 24 19:42:38 <hostname> postfix/pickup[141764]: 9EF2E9FEED: uid=0 from=<root>
    Jul 24 19:42:38 <hostname> postfix/cleanup[142544]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
    
    Jul 24 19:42:38 <hostname> postfix/cleanup[142544]: 9EF2E9FEED: message-id=<20240725024238.9EF2E9FEED@<hostname>.domain.com>
    
    Jul 24 19:42:38 <hostname> postfix/qmgr[98784]: 9EF2E9FEED: from=<root@<hostname>.domain.com>, size=519, nrcpt=1 (queue active)
    
    Jul 24 19:42:38 <hostname> postfix/smtp[142379]: Trusted TLS connection established to gmail-smtp-in.l.google.com[<IP>]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
    
    Jul 24 19:42:39 <hostname> postfix/smtp[142379]: 9EF2E9FEED: to=<xxx@gmail.com>, relay=gmail-smtp-in.l.google.com[<IP>]:25, delay=0.41, delays=0.02/0/0.13/0.25, dsn=2.0.0, status=sent (250 2.0.0 OK  1721875359 4fb4d7f45d1cf-5ac64faf9e6si335670a12.290 - gsmtp)
    
    Jul 24 19:42:39 <hostname> postfix/qmgr[98784]: 9EF2E9FEED: removed
    
    I did a search for "warning: connect to Milter service inet" and found this, which informed me to run
    Code:
    service opendkim status
    
    Which I did and see that opendkim isn't running.
    Code:
    service opendkim status
    Redirecting to /bin/systemctl status opendkim.service
    ○ opendkim.service - DomainKeys Identified Mail (DKIM) Milter
         Loaded: loaded (/usr/lib/systemd/system/opendkim.service; disabled; preset: disabled)
         Active: inactive (dead)
           Docs: man:opendkim(8)
                 man:opendkim.conf(5)
                 man:opendkim-genkey(8)
                 man:opendkim-genzone(8)
                 man:opendkim-testadsp(8)
                 man:opendkim-testkey
                 http://www.opendkim.org/docs.html
    
    So it appears to be an issue with the openDKIM service not being set to automatically start.

    I haven't messed with it further because presumably the DKIM script should be setting that up.
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    3:12 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    did you reboot server between DKIM working and not working?

    Try enabling startup on reboot, start service and check status
    Code (Text):
    systemctl enable opendkim
    systemctl start opendkim
    systemctl status opendkim --no-pager