DKIM / DMARC not working.

September 18, 2015 3.4k views
Email DNS

I am very new to everything about domains and such things, so I will try to explain my problem as best as I can:
I followed this guide in order to make mails outgoing from my VPS less of a threat to the outside world, but the DKIM/DMARC configuration didn't seem to work. I have a TXT name: and the text value: v=DKIM1; k=rsa; p=keystring
However, in the DO Control Panel, in the "Zone file" area, I'm shown this: 1800 IN TXT v=DKIM1; k=rsa; p=keystring
I'm not sure it should be using the domain name twice, so I changed the TXT name to simply: mail._domainkey
And that fixed the "Zone file" repetition. However, this website hasn't been able to validate the DKIM key in any of the two aforementioned ways, and always gives me the following error:
This is not a good DKIM key record. You should fix the errors shown in red.
DNS query failed for '':NXDOMAIN
A public-key (p=) is required

What am I doing wrong, and how can I fix it?
As a side note, " is just an alias I used to keep my actual domani hidden. Additionally, I don't have any ports open other than a custom port for OpenVPN and another custom port for nginx, in case it needs an open port.
If you need more info, I will gladly provide it.

1 comment
  • This is an old post, but it does show up in google, so here goes. First of all, you discovered that the Digital Ocean will append "" to the txt name. As you noted, looking at the zone info will show this.

    I'm assuming you generated your key with opendkim-genkey. There are guides online how to do that.
    I used the guide in the link above. It works mostly, but upper case is a problem in the txt name.

    opendkim-genkey will make the key for you, but getting it into DNS is not as obvious as you think. Using the Digital Ocean DNS webpage was a problem for me because cutting and pasting into the field in the browser didn't work. The p field is long and it causes the browser to choke. Extra lines feeds will be inserted and occasionally a character is lost. This is not a clipboard problem as far as I can tell.

    Digital Ocean has an API that uses tokens. It looks awesome and deadly, so use the API with caution. The goal here is to use the token scheme to feed the dkim record directly to the DNS without using a browser.

    First, get the token:
    Save the token on your PC, not on the Digital Ocean server. It is a crypto key and if it gets loose, life will be ugly, at least on your server.

    At this point, I'm assuming you are running linux or (gasp) bsd on your PC. Maybe this will work on OSX, but I never touch freedom hating Apple gear. Since the token is kind of long, I made it an environment variable on my desktop. It can be temporary, and that is probably a good idea.

    export TOKEN=4rpAcCDTLVNmrYBzuBix1tu0y5Ky9khK7dLq

    Be sure obviously to use the value of your token, not my example. (My example may not even be the right length. I just pulled it from a password generator.)

    I put the curl command below in a file to be run as a shell script. I used a few continuations, as indicated by the backslash at the end of some lines. However the d field needs to be one continues line. This is no problem in vi. If you cut and past the key, you may have to use the "J" operation in vi to join lines together. Use the down arrow when in vi to insure the d field is one line. Note the use of the backslash to insert the quote character. Also note that $TOKEN is used to indicate the value of the environment variable.

    curl -X POST "" \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $TOKEN" \
    -d '{"type":"TXT","name":"selector._domainkey","data":"\"v=DKIM1; k=rsa; p=FYEih79vgwDlFPYYparGQUKsc2pTSJqDzTH0dnCMdcWDqHdQWtlLwnKlI2XbxQ9\""}

    Your p field will be longer than this. (Again, I just used a random generator). If the name of the file with the curl command is called foo, you simply

    sh foo

    You should get feedback regarding the record that was uploaded, but just log into the Digital Ocean DNS page to inspect the data. You can use "dig" as well to inspect the data. It will take some time for the DNS change to propagate.

    By some miracle and lots of banging my head on the desk, I have managed to get opendkim working on virtual domains. The opendkim manual has the instructions. Look for the word "refile" in the manual if you want a simple way to store the keys.

1 Answer

What is the actual domain, actual email headers and actual DKIM record?

  • Actual domain:

    Email headers (as shown by Gmail):

    Delivered-To: <REDACTED>
    Received: by with SMTP id c187csp3160221oif;
            Thu, 17 Sep 2015 16:39:03 -0700 (PDT)
    X-Received: by with SMTP id h67mr3378975qge.14.1442533143287;
            Thu, 17 Sep 2015 16:39:03 -0700 (PDT)
    Return-Path: <>
    Received: from ( [])
            by with ESMTP id z66si5179491qhd.20.2015.
            for <REDACTED>;
            Thu, 17 Sep 2015 16:39:03 -0700 (PDT)
    Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
           spf=pass ( domain of designates as permitted sender)
    Received: by (Postfix, from userid 1000)
        id 398307FF0B; Thu, 17 Sep 2015 18:22:33 -0500 (PET)
    To: <REDACTED>
    Subject: This is a test message

    v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZUKdaKQssmRtrqtcTOegCIztpVuB+NLB7/yw2C9VExMGFrQbaQRFlFaY7O2XHkDZIn9e5/8CXFv3230BpxadIcj+Rv+yvwCEuqgfSlToK7T45m49ahHhQHbAf82a/EoCHrcs9B66jgd2/mad7wqYLfPwYAEOadEU47NECf3Qi1wIDAQAB
Have another answer? Share your knowledge.