DKIM not working / New Install / Deb 11

B

beatkamp

Verified User
Joined
Sep 15, 2022
Messages
42
Hello,
I have new install of Deb 11 with DirectAdmin at Contabo. I followed the following guide to get DKIM working:

Configuring and customizing Exim | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

I see the keys were generated and the DNS records contain the DKIM records. I restarted DirectAdmin and
Exim. ie) Everything seems to be correct.

No DKIM is added to emails.

Had a look at the following help thread and it was not able to get me going:

Mails are not signed with DKIM

Hi, I tried to sign my mails with DKIM but its not working. I followed the install guide: https://help.directadmin.com/item.php?id=569 Everything seems right I checked DNS: http://dkimcore.org/tools/keycheck.html (This is a valid DKIM key record) I tried mail-tester.com: -1.1 DKIM_ADSP_ALL...
forum.directadmin.com forum.directadmin.com

Does anyone know if there is another guide somewhere I should be reading?
 
If you are using Contabo DNS, you must add the domain name in your Contabo panel (in DNS Zone Management)
Once the domain is added, it will create the record zones except SPF and DKIM which you have to add manually (just copy the ones you have in DA)
 
Thank you. Very helpful.

My DNS records at Contabo were completely missing this and I was missing the knowledge that it was needed.

I have updated the DNS at Contabo (my host) with the missing SPF & DKIM.

Its not yet working but I have a TTL of 86400 on everything there. I assume that these new DNS TXT entries must dissipate before I start to see DKIM tags on my server's emails?
 
I am sending myself test emails using servername.com/roudcube utility. Still not seeing any DKIM tags yet. Perhaps too soon? I really don't know.

This ultility is showing ,,Congratulations! Your DKIM record is valid.'' ::

dmarcian.com

DKIM Inspector

Use dmarcian's DKIM Inspector to Check your DKIM Records for correct implementation. Use it for Free. Start the Protection of your Domains.
dmarcian.com dmarcian.com
 
The following test utility also shows SPF and DKIM records correctly.

Tools - mail-tester.com

SPF record and DKIM check
www.mail-tester.com www.mail-tester.com

I am running a standard (non-custom) DirectAdmin. Now I begin to wonder if I borked something running the
various script suggestions in the DKIM posts here on this forum.

Perhaps I have an issue with EXIM?

Running:

DirectAdmin 1.643
Exim 4.96
Dovecot 2.3.19.1

/etc/exim.conf Version 4.5.42 (edited to say conf not con)
 
Done. Thank you for the help!

I will leave some time now for propagation. The SPF's being good has most of my clients happy.

I will report back to this thread on progress or lack of.
 
Ok, so I have waited a good amount of time and the mails off my server are still not getting tagged with DKIM.

Would anyone be kind enough to suggest where I could check for error messages?

The DNS is tagged, the feature is enabled so this is likely to be a config error on my part.

I graciously await any comment or suggestion.
 
beatkamp said:
and the mails off my server are still not getting tagged with DKIM.
Click to expand...
Mails from server hostname or from domain?

If it's from domain and you have copied the SPF and DKIM records in the Contabo DNS (if you use that one as nameserver).

Did you check if they get signed but only error appears or something, because I read this:
If external DNS is used, the DKIM TXT records must be copied over to the remote DNS, else the outbound emails will be signed but will fail since the DNS checks will fail,
Click to expand...
You should be able to see that in the headers.

If all that is correct, maybe you can best send in a ticket.
 
If I understand what I am doing, it is from the domain.

The Contabo DNS has the SPF and DKIM records. The SPF checks out ok.

Which log would I check to see an error message?
 
Update:

So I went back to the online documents here and tried to retrace my install:

Configuring and customizing Exim | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Executed:

cd /usr/local/directadmin/custombuild
./build update
./build set exim yes
./build set eximconf yes
./build set eximconf_release 4.5
./build set spamassassin yes
./build update
./build exim
./build exim_conf

Then I turn on DKIM:

cd /usr/local/directadmin
./directadmin set dkim 2 restart

Next, I toggled DKIM from Enabled to Disabled back to Enabled at the User level.

Then immediately I get the message:

New Message: The service 'spamd' on server is down​

All email services are now stopped. Wups!!! What did I do? No idea. Stay calm...

I get to this guide for SpamAssassin:

Filtering incoming spam | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Execute:
cd /usr/local/directadmin/custombuild
./build set spamd spamassassin
./build spamassassin

Email services are now restored, back to where I was before. Phew! Scary.

The ,,User'' level config ,,E-Mail Accounts'' shows ,,DKIM is enabled''

Yet, no DKIM tags on outgoing email from my server.

/var/log/exim/mainlog shows no failures as far as I can see.
Test emails from RoundCube on the server and a remote device.

There must yet be something I am missing.
 
Then I turn on DKIM:
cd /usr/local/directadmin
./directadmin set dkim 2 restart
Click to expand...

That's the wrong order.
First enable DKIM, then rebuild Exim and configuration.
Can you do this part again? I also added two which is possibly not needed, but just added to be sure:

cd /usr/local/directadmin/custombuild
./build clean
./build update
/build set dovecot_conf yes
./build dovecot
./build dovecot_conf
./build exim
./build exim_conf
[/code]

Then check again.

Also to be sure. In the link you posted on the bottom, it says there need to be some exim.conf changes. I hope you did not do those, because they are not needed anymore.

Check if you have these files:
/etc/exim.dkim.conf
/etc/exim_dh.pem

beatkamp said:
The ,,User'' level config ,,E-Mail Accounts'' shows ,,DKIM is enabled''
Click to expand...
That's good, also check the DNS of that domain on the DA server if the DKIM key is present there too and the same as on the Contabo DNS on the domain. I presume yest, but just to be sure we don't forget anything.

DNS can afterwards be checked with this tool:

Check a DKIM DNS Record

dkimcore.org dkimcore.org
Selector: x

If still no DKIM, then best is to send in a ticket, I can't find anything wrong. As far as I can see you did everything.
 
Hello and thank you for all of the help.

I carefully repeated the process, as described, with your suggested mods, and kept a watch on the
DKIM config and keys as I went through the steps.

The keys all disappear when I disabled DKIM via "E-mail Accounts" page.

They then re-appear, as expected, when I build exim, et c., again.

Afterwards, everything appears to be in place. The server is fully functional in all ways
except no DKIM tags on outgoing mail.

The DKIM checkers all report valid DKIM records. This makes sense as they are dangling
off the Contabo DNS. Similarly, the DKIM keys are present everywhere on the server where
I expected them to be.

Ok, so I am stumped.

Will raise a ticket and report back to this thread at the conclusion.

Kind regards, Kenny.
 
I have a ticket raised now under low priority. Will keep this thread updated.

Perhaps this will help other sysops.
 
Ok, my licence does not include support. I can switch it to a monthly thing that does. That is fair enough and understandable.

Will first, out of pride, try to figure this out on my own and keep this thread updated.

Evidence:
- everyone else seems to be fine

Conclusion:
- something buggy is there in my configuration

Generally, I try to learn as little as possible and bang through configs, etc using the guides here.
This lazy approach has worked well for a very long time. In this case, I have to
actually take some time to understand what is happening.

This thread here looks helpful:

Mails are not signed with DKIM

Hi, I tried to sign my mails with DKIM but its not working. I followed the install guide: https://help.directadmin.com/item.php?id=569 Everything seems right I checked DNS: http://dkimcore.org/tools/keycheck.html (This is a valid DKIM key record) I tried mail-tester.com: -1.1 DKIM_ADSP_ALL...
forum.directadmin.com forum.directadmin.com

Thus far, my entire existence on this forum has had the theme "someone help me please".
Perhaps I will be able to contribute something going forward.

This is a minor problem as my server is, otherwise, fully operational.
 
So, I had given up on this for a time. No emails have ever been tagged with DKIM outgoing from my server. I gave up on getting this working bur now its a real problem.

At this point I am up to:
exim.conf v 4.5.50
exim v4.98

I am going to bang through the install guides again. No outgoing email has ever been DKIM signed, ever, thus far.
 
Following this guide, again:

Configuring and customizing Exim | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Turn it on in DirectAdmin:
da config-set dkim 2
systemctl restart directadmin

Enable it in the exim configs and Exim:
da build exim
da build eximconf

I have tried to toggle DKIM Disabled. DKIM Enabled in the DirecAdmin control panel.
No change. No DKIM tags on the outgoing email.

I use an external DNS. All my DKIM stuff is there. So far this is irrelevant as outgoing emails
are not tagged at all.

I do not use a custom exim.conf, I have just followed the guide posted here.
 
The permissions on my dkim.private.key and dkim.public.key are:

-rw------- (600)

I wonder if this is the issue?
 
Tested setting permissions to 660 for dkim.public.key & dkim.private.key,.

no success, outgoing mails still not signed. 600 seems to be the default permissions when the keys are created.
 
You must log in or register to reply here.
Back
Top