[7.250] How to make DKIM working? [NOTABUG]

fobe · #1 (**permalink**) 07-14-2008, 07:37 PM

Hi all,
I'm testing the DKIM-feature and it's appended to my emails but for some reason it's not working too well. I'll show what I did & how I configured ASG, so maybe you'll see what I'm doing wrong (or not

):

01) made the private key with "openssl genrsa -out rsa.private 1024"
02) made the public key with "openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM"
03) Made in my nameser the entry: dkim._domainkey.mydomain.com TXT k=rsa;t=y;p= {output rsa.public}
04) Go to E-mail security and the Advanced-tab filled in Private Key RSA the outpu of rsa.private (step 01).
05) at selector: dkim._domainkey
06) at Domains: mydomain.com
07) apply

Wait a few moments so the DNS-servers will be updated. When I now send an e-mail the DKIM-signature is added. But when I send a test e-mail to "dkim-test@testing.dkim.org" I get the following error:

testing.dkim.org; v=0.1; dkim=fail, header.i=@mydomain.com (
DNS lookup for mydomain.com/dkim._domainkey failed; mydomain
.com/dkim._domainkey fail; );
ssp=neutral, header.From=me@domain.com

So for some reason the dns-lookup fails. I also waited longer so I know for sure that the nameservers are updated (like 2 hours, I know nameservers are updated in 2 days globally).

Has someone a clue what I'm doing wrong? Any help is welcome

tom · #2 (**permalink**) 07-14-2008, 08:12 PM

Quote:

Originally Posted by fobe

03) Made in my nameser the entry: dkim._domainkey.mydomain.com TXT k=rsa;t=y;p= {output rsa.public}

This should be

dkim._domainkey.mydomain.com. TXT "v=DKIM1; p={output rsa.public}"

Note the additional dot at the end of the record name. Alternatively:

dkim._domainkey TXT "v=DKIM1; p={output rsa.public}"

This time without the dot ...

Quote:

Originally Posted by fobe

05) at selector: dkim._domainkey

This should be just "dkim", the "_domainkey" namespace is not part of the selector string.

Quote:

Originally Posted by fobe

Wait a few moments so the DNS-servers will be updated.

This depends on several factors, the most important one being the TTL you set as default for your zone or a specific TTL for the TXT record. The standard value is 86400 seconds (one day). Negative (NXDOMAIN) caching on remote sites is usually two hours.

fobe · #3 (**permalink**) 07-14-2008, 08:40 PM

Hi Tom,
the "dkim._domainkey" instead of "dkim" was the misconfiguration in the Selector-option!!! And also my record has the "dot" at the end of my record.

Thanks for the help!!!!

BAlfson · #4 (**permalink**) 09-10-2008, 06:41 PM

This is a term of art that is somewhat confusing. I presume that it means "complete with the beginning header, ending footer and the carriage returns in the text."

I also presume that the nameserver TXT record is "stripped of its ascii armor including the carriage returns."

Thanks - Bob

PS This is an example of the type of information that is missing in the Astaro documentation - "cheat sheets" that give a quick, clear recipe for specific applications like turning on and using DKIM.

jlbrown · #5 (**permalink**) 09-15-2008, 08:42 AM

I'm also puzzled by this terminology.

Can we please get some confirmation that we should put the entire contents of the private key file that openssl has created? Ie "in ascii armor" means with the "-----BEGIN RSA PRIVATE KEY-----" followed by the key itself, complete with carriage returns and ending with "-----END RSA PRIVATE KEY-----".