Issue with Failed DKIM Signature on Mail Server

[ceconarr]

Hello everyone,

I'm experiencing an issue with the DKIM signature on my mail server and would appreciate any help or advice. Below are the details of the problem.

Problem Details:​

When reviewing the headers of my emails, I encounter the following DKIM signature information:

ruby
Copiar código
DKIM Information:
DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cabaech.pe;
s=x; h=Content-Type:MIME-Version:Message-IDate:Subject:To:From:Sender:
Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=Jwy+68j5gYvF9nJja310RpiWo+719YpsgD5cySZBuq4=; b=KXR1mkslg6k1GW2ygLs5WxDpKI
AXetx3OdmBi5+6H8QmU7C/pCMigl9iqJdvwlr3gWQriFD/86uu3Tt1cCiBd3fj3RfJFD9ogrAHlel
2cKVrcqJ0ilfpUL49YdOxGGB8I9E5OcObal3Yo5CjH9Idc0QzDQNmuuYCJeeRTiMIuXYtsG5vmbtY
UTFV/IGrzFQs3+YrdEUpOpWxOnkSAbbgADisN8XXkK1pr53qt0I0jHC9nJWWLQ8jC5izzFPi9D51L
/k1+5jhm7uOzW0TCtNS+GNTPy7aCQuJNTDevvW0GRqFnxiAmkiV7GnSE+CUG9MmqJVN1EJmIGZyAD
UxEp/tPA==;


Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: cabaech.pe
s= Selector: x
q= Protocol: dns/txt
bh= Jwy+68j5gYvF9nJja310RpiWo+719YpsgD5cySZBuq4=
h= Signed Headers: Content-Type:MIME-Version:Message-IDate:Subject:To:From:Sender:
Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive
b= Data: KXR1mkslg6k1GW2ygLs5WxDpKI
AXetx3OdmBi5+6H8QmU7C/pCMigl9iqJdvwlr3gWQriFD/86uu3Tt1cCiBd3fj3RfJFD9ogrAHlel
2cKVrcqJ0ilfpUL49YdOxGGB8I9E5OcObal3Yo5CjH9Idc0QzDQNmuuYCJeeRTiMIuXYtsG5vmbtY
UTFV/IGrzFQs3+YrdEUpOpWxOnkSAbbgADisN8XXkK1pr53qt0I0jHC9nJWWLQ8jC5izzFPi9D51L
/k1+5jhm7uOzW0TCtNS+GNTPy7aCQuJNTDevvW0GRqFnxiAmkiV7GnSE+CUG9MmqJVN1EJmIGZyAD
UxEp/tPA==
Public Key DNS Lookup

Building DNS Query for x._domainkey.cabaech.pe
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvFp/TScQLd94HnvzX6cPPmB6HsyGJahqdw89gP9pf4cCop/gPsiM+OawugdpE5BczM33ZMeHMMWpZUO8hqO5srtpq0U0QMgVz63wa+xhVj8giFnB48vInyhtmA+h92qwUcPRYGCdUVAOERdbcLdmQytH412ZoJb9pkPMuzxo8FDxd3a6b2IfTq3vUyZdYB/8slYk/ZlWbaCs6WcWXVMxlbBuuiwuaZ4IW4ckXovpm8+ngt3BEBoK4N/PYb1lOOrBTakTF8s/E4OLqLYpfxcGcqtyJrFk+JXreesnY1bc3YoQu2WIRNLDbBlwy5d7invLDJVyOLHkAj5ZQ06D8S8O2QIDAQAB
Validating Signature

result = fail
Details: bad RSA signature

Actions Taken So Far:​

1. DNS Lookup:
   • I verified the DNS record for x._domainkey.cabaech.pe and retrieved the correct public key:
     bash
     Copiar código
     v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvFp/TScQLd94HnvzX6cPPmB6HsyGJahqdw89gP9pf4cCop/gPsiM+OawugdpE5BczM33ZMeHMMWpZUO8hqO5srtpq0U0QMgVz63wa+xhVj8giFnB48vInyhtmA+h92qwUcPRYGCdUVAOERdbcLdmQytH412ZoJb9pkPMuzxo8FDxd3a6b2IfTq3vUyZdYB/8slYk/ZlWbaCs6WcWXVMxlbBuuiwuaZ4IW4ckXovpm8+ngt3BEBoK4N/PYb1lOOrBTakTF8s/E4OLqLYpfxcGcqtyJrFk+JXreesnY1bc3YoQu2WIRNLDbBlwy5d7invLDJVyOLHkAj5ZQ06D8S8O2QIDAQAB
2. Configuration Review:
   • I have reviewed the mail server configuration and ensured that the private key being used corresponds to the public key published.
3. Message Integrity:
   • I checked that the message body is not being modified after signing.

Problem:​

The DKIM signature validation continues to fail with the result: fail - bad RSA signature.

Question:​

• Has anyone experienced similar issues and can offer guidance on how to resolve a failed DKIM signature due to a "bad RSA signature"?
• Are there additional steps I should take to diagnose and resolve this issue?

I appreciate any help or suggestions in advance.

Best regards,

 

[Richard G]

Seems all in good order at first look and with DNS check indeed.

Could you try with this site? It will give a good report about what might be the cause.

DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com

 

[ceconarr]

This is a result:

DKIM Information:​

DKIM Signature​

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cabaech.pe;
s=x; h=Content-Type:Content-Transfer-Encoding:To:Message-ID:Subject:Fromate
:MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=repq7UMbJH1kzh+67PNHpr6PaP0wZfWS8siUmNmlUTk=; b=O
ytptj1kGZirU4El9XKdxuDC0CwkHI8M1E478kVHjN33j3LI3FQ9xAJL6f3X7wx6AeYoZjG7PmvAlp
B+p9ZnarpIt7Ddg7QhonEUv9S7hoXUjEzPprRYKIvJPLsyD9tNByUY+opr5rnBXsaeEK/1Eq76xKS
i6iuYaXhAe/HqFyMsAVVxly38GpX2nHPIPRxEH4ObMacC8NTo/2Q3RUfXwGhyB5Kw3t0u36Vu/7Sk
pNZkA4xYrylXnVGEKp03iKcThKx1fshoUjO78lPbXGRBReZRos5cSTGiguPaovoyTEzGvquut0Aq8
Sk98LlHNFVwVCJYdc8VWS1TuSIUGdEfAQ==;


Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: cabaech.pe
s= Selector: x
q= Protocol: dns/txt
bh= repq7UMbJH1kzh+67PNHpr6PaP0wZfWS8siUmNmlUTk=
h= Signed Headers: Content-Type:Content-Transfer-Encoding:To:Message-ID:Subject:Fromate
:MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive
b= Data: O
ytptj1kGZirU4El9XKdxuDC0CwkHI8M1E478kVHjN33j3LI3FQ9xAJL6f3X7wx6AeYoZjG7PmvAlp
B+p9ZnarpIt7Ddg7QhonEUv9S7hoXUjEzPprRYKIvJPLsyD9tNByUY+opr5rnBXsaeEK/1Eq76xKS
i6iuYaXhAe/HqFyMsAVVxly38GpX2nHPIPRxEH4ObMacC8NTo/2Q3RUfXwGhyB5Kw3t0u36Vu/7Sk
pNZkA4xYrylXnVGEKp03iKcThKx1fshoUjO78lPbXGRBReZRos5cSTGiguPaovoyTEzGvquut0Aq8
Sk98LlHNFVwVCJYdc8VWS1TuSIUGdEfAQ==

Public Key DNS Lookup​

Building DNS Query for x._domainkey.cabaech.pe
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvFp/TScQLd94HnvzX6cPPmB6HsyGJahqdw89gP9pf4cCop/gPsiM+OawugdpE5BczM33ZMeHMMWpZUO8hqO5srtpq0U0QMgVz63wa+xhVj8giFnB48vInyhtmA+h92qwUcPRYGCdUVAOERdbcLdmQytH412ZoJb9pkPMuzxo8FDxd3a6b2IfTq3vUyZdYB/8slYk/ZlWbaCs6WcWXVMxlbBuuiwuaZ4IW4ckXovpm8+ngt3BEBoK4N/PYb1lOOrBTakTF8s/E4OLqLYpfxcGcqtyJrFk+JXreesnY1bc3YoQu2WIRNLDbBlwy5d7invLDJVyOLHkAj5ZQ06D8S8O2QIDAQAB

Validating Signature​

result = fail
Details: bad RSA signature

 

[Richard G]

Be sure that your key in DA is 100% exactly copied to your external DNS, without any spaces in there.

Then try this tool:

Test DKIM, SPF, DMARC, DomainKey, RBL - Online Test Tool

and use the DomainKeys Test option.

On the result you can click on the DKIM part information, maybe that says what is wrong or why.

Otherwise I dont know.

 

[Stije]

Your DKIM is not the same. On your NS servers you have a different DKIM than on your DA server.

Copy the DKIM from your DA server in the zone of your NS Server at contabo.

Assuming your domain is indeed: cabaech.pe

Then running this check shows different DKIM entry's in your main NS and the one on DA your server:

#First check IP of server
dig cabaech.pe +short
31.220.99.82

#Then check NS of domain
dig ns cabaech.pe +short
ns1.contabo.net.
ns2.contabo.net.
ns3.contabo.net.

#So check DKIM on auth NS server:
dig -t txt x._domainkey.cabaech.pe @ns1.contabo.net +short

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzabYNNxmhgRprT/fBKYnFccTd/sl+DYK0y9LypYHxuTOFEIHNnbQAu3TZuJwSa+R6t0x6Z/nay7tgyfAv9R5+RAA5Ur7FbqaMSGNsKTUe8nsMjXXG3jokY1hOsYV3xIpYdmR40KKiy/t1DutdOjj2SqJs71IV5HNifYkl2/SfzEH7JYuP81BXTdsiZWN1pEdonV4+nb3YZh11rMvn3JA2EhO6OBcIn+mtxcxarsHL0DKFUNkAHaU0cqLjy8gq5bJyIMX1yLDlO2TN+nU9EVNGk8IqgHta7SrwNXdUgJNH6FO5xdVthMa6o+MBZztL+OKXxpjoOojycLl/qYThTy/pQIDAQAB"

#Than check on your server:
dig -t txt x._domainkey.cabaech.pe @31.220.99.82 +short

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmd5LFjnWeEo2opqWnnqkeyOTBKtZjNya0hFf8H6NzIdync5Q8NqP9/qWaZFhAkXg4rSoIJ4jQWE5neinZP/XtAY/ePY2iuKdJc0hYZOlw/bhUAUpEMI3UZt3tqubgHRIG07do6rzrqhTB0PG7biQG2PzCcGpzg52QVLYO37zkn85hQwoFQUelseHyI6wCAvzRiD8RaTnLNEsswK6mnkYt2zydsYI4iEpamIK8PayStml1UUycgOUXXz18n9QhnanbeGB3amL3NAvVqJt2yb5VSXX87Q2j6h+zttJUnrw4HN1DKVDppXKNoUFb6otvelBwed+4y67kCzct4NsMeguwwIDAQAB"

They are not the same. So copy the one from DirectAdmin server to your auth. NS server. Now your mailserver uses the DKIM of your DA server but other mailservers see the one on your NS server. So it will fail.