Warning: DKIM: Invalid. reason='pubkey_unavailable'.

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,183
Location
Maastricht
I've got 3 servers setup with DA and everything including DKIM exactly the same.

The only thing changed was the exim.conf to 4.5.5 update last night, because of the removal of 1 blacklist. And then the users on this one server could not send out messages anymore, they were refused as being spam.

Reason of spam: Warning: DKIM: Invalid. reason='pubkey_unavailable'.

So I removed all DKIM now for a quick fix. But how is this possible? All 3 servers have the 4.5.5 exim.conf an both others do not have this issue after updating the exim.conf last night.

What can be the reason this problem occured?
 
Hello,

pubkey_unavailable means an issue with DNS. Either no public key in DNS or an issue with resolving.
 
Hello Alex.

No it's not a DNS issue, because after removing DKIM, sending out mail was working fine and mail was not refused by the receiving mailservers anymore.
I also could do nslookups from the sending server, so DNS was fine.
 
You removed DKIM -> email singing stopped -> no requests to verify DKIM sing in DNS -> delivery is fine.

DKIM singed letters are checked with a DNS query by a receiver mail server in order to make sure that DKIM is valid.

- If DNS does not contain a public key, or DNS query failed for other reasons -> pubkey_unavailable

You might need to make sure your DNS responds to TCP queries, and UDP is not suitable here due to size of DKIM keys.
 
Isn't nslookup a tcp querie? Because that works fine.

I got a local DNS server which is also working fine.
The /etc/resolv.conf is pointing to 127.0.0.1 so it's using my own DNS server first and the external dns server second.
I also tried locally:
dig -t ns1.thisserver.nl somexternaldomain.com
and got a correct answer, same when using dig -t 127.0.0.1 so that looks fine too.

Or is there another good way to test this?
 
As for dig:

Code: 
+[no]tcp
           Use [do not use] TCP when querying name servers. The default behavior 
          is to use UDP unless an AXFR or IXFR query is requested, in which case
          a TCP connection is used.

You should check outside of your server, as firewall might allow local requests without filtering.


Code: 
# dig +notcp +short TXT x._domainkey.domain.com
;; Truncated, retrying in TCP mode.
"v=DKIM1\; k=rsa\; p=MIIBI

...
 
Thank you Alex.

I did not get that ;; Truncated thing, but I did get my domeinkey as a respons, so ""v=DKIM1\; k=rsa\; etc". So that looks alright, correct?

To inform you, an hour ago I changed the following in named.conf:
1.) removed the line "recursion yes"
2.) Changed allow-recursion { localhost; }; to allow-recursion { localnets; };

This way it's the same as with the other server. I'm not sure if this change made things to work.
It still does contain the line "minimal-responses yes;" but that should not make any difference I think, because it does not give issues on the other server either.

The odd thing is however, that everything was working fine with the settings I had, without issues, until the exim.conf update the day before yesterday. Which only removed that RBL, all exim.conf versions were the same on all servers before too.
 
You must log in or register to reply here.
Back
Top