Skip to content

DKIM Troubleshooting

Jump to bottom Edit New page
Jannick Fahlbusch edited this page Mar 1, 2016 · 10 revisions

Check DKIM DNS Host entry

host -t TXT yourselektor._domainkey.yourdomain.tld

If successful you should see your DKIM signature like that:

default._domainkey.company.de descriptive text "v=DKIM1\; k=rsa\; t=s\ ; p=..."

Check DKIM signing

opendkim-testkey -d yourdomain.tld -s yourselektor -vvv

yourselektor normally is default.

-vvv = detailed verbose mode.

Errors / Firewall

You need to open port 53 in your firewall to retrieve the DKIM-keys. If you're getting errors like key retrieval failed or query timed out, check if you opened that port.

Thunderbird DKIM Verifier AddOn

For Thunderbird there exists a plugin called "DKIM Verifier" by Philippe Lieser. With that you can verify if your DKIM signature gets correctly added to outgoing mails. You can find the addon here, the source is on GitHub.

Config

I also added some more options to my /etc/opendkim/opendkim.conf. These were taken from here

Syslog              yes
KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
Canonicalization    relaxed/relaxed

LogResults      yes
LogWhy          yes
SyslogSuccess   yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           002
# OpenDKIM user
# Remember to add user postfix to group opendkim
UserID          opendkim

# Hosts to ignore when verifying signatures
#ExternalIgnoreList  /etc/opendkim/trusted.hosts
#InternalHosts       /etc/opendkim/trusted.hosts

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization    relaxed/simple
Mode            sv
SubDomains      no
#ADSPAction     continue
AutoRestart     yes
AutoRestartRate     10/1M
Background      yes
DNSTimeout      5
SignatureAlgorithm  rsa-sha256

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders     From

I commented out the hosts to ignore part, but if you want to use this, the file trusted.hosts needs to look like this:

127.0.0.1
::1
localhost
yourhostname
yourhostname.yourdomain.tld
yourdomain.tld

A donation is highly appreciated. Thank you for supporting further development!

PayPal donate button

Add a custom sidebar
Clone this wiki locally