Question

DKIM TXT DNS record mail._domainkey exists but verifier.port25.com says it doesn't

Posted April 23, 2017 7.8k views
EmailDNS

I followed the excellent article: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy to set up DKIM on my server. I created the two TXT records exactly as required. My domain is called realassurance.com. However the authentication check using a test email to: check-auth@verifier.port25.com returns the following in the DKIM section stating that mail.domainkey.realassurance.com doesn’t exist (see below), when it does. Having read as many blog articles as I could find about this I have ensured the text is in quotes and I am sure it is not a propagation issue as I used mxtoolbox.com (and other similar online tools) to check for mail.domainkey.realassurance.com which was found as a TXT record ok.

Also I note in the report below, it reports the DNS record as TXT (NXDOMAIN) - whatever that means.

No idea what to do next. Can someone please help?

Dave


DKIM check details:

Result: permerror (key “mail._domainkey.realassurance.com” doesn’t exist)
ID(s) verified:
Canonicalized Headers:
to:check-auth@verifier.port25.com‘0D’'0A’
from:John'20’jdt2@realassurance.com'0D’'0A’
subject:test'0D’'0A’
date:Sun,'20'23'20'Apr'20'2017'20'15:53:34'20’+0800'0D’'0A’
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20’d=realassurance.com;'20’s=mail;'20’t=1492934013;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Subject:Date:From;'20'b=

Canonicalized Body:
'0D’'0A’

DNS record(s):
mail._domainkey.realassurance.com. TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25’s PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

@dave102

When using MXToolbox, I was able to verify the DKIM entry easily. I’m seeing the following:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfWHolALh8Kohz+hSyWWRArUQJbo+lDAKKIUIQ39s3V/AQOO4IcihyF7s8ZFl936NcF6wcpEHXzvnYt5g19+s0VtY8Hc+CM8+a3AC4nz1QuGeitzNDp8f/mNkjZA33k3cnMFj5286Aej/YYsMzMsUQbRzXgYk9MKphJEBAIpYc2wIDAQAB

It is possible that at the time of checking, the DNS entry hadn’t fully propagated, thus when they did a check, it failed. On my end, as of this reply, it’s showing up and appears valid.

  • Thanks. It was a propagation issue and all works now. The problem was that MXToolbox did find the key yesterday but clearly wherever port25.com is, the propagation had not reached there! I was also fooled as I set up a new url under the same domain (new A record) and I could see it after a few minutes. I suppose that someone in the US or Europe would not have been able to.

    The moral of the story is that you really do need to wait 24 hours or more for full propagation!

    Incidentally, my question was marked as spam for some reason by the DO Community - I would love to know why. It was only “unspammed” after I raised a support ticket.

    This question of spam is a real pain - for example my automated emails from the domain I just amended are STILL going into spam in gmail accounts even though the verification shows spf=pass and dkim=pass. What do you have to do get into gmail?? Funnily enough, loads of real spam seems to get through. So explain that.

    My only solution for a new app I developed is to get all users to mark messages from my domain as “not spam” from Day 1.

    Dave

    • You have to season your server now… set rate limits low per email and per box and try to get as many people to whitelist you as possible.

      join ipwhitelisted.org * yes it’s dirty bloody ransom money…it will keep you from getting added to spam lists when someone else on a nearby ip gets blacklisted (called a neighborhood ban)

      don’t use your email server as a newsletter software. IE send the same exact message to 1000’s of people day 1 telling them about your new app…

      don’t exceed rate limits early on (8 or so an hour).

      if you must automate, and your app is taking off but you don’t have any cash in yet, then write your automated replys with spintax and space out the sending so they don’t all go at midnight for example.

      try to elicit responses of some kind in your automated email notifications.

      Examples:

      Click here to check out your app stats.

      When I say Hippo you say…
      (respond with the first thing that comes to mind.. funniest response gets a free month of service)

      People responding to your email in some way will help keep your spam score down as it indicates value.

      Try to consolidate your apps notifications. Have 5 plugins that each want to check something five times a day? Consolidate the code and run 1 daily update or 1 weekly update if possible.

      Make sure your business information, ICANN statement and unsubscribe link are all present and work.

      Use an SMTP Host like sendgrid or mailgun.

      Don’t scrape or buy “1 million emails” type lists from the internet… they are always full of honeypot emails and you will get locked up by Barracuda and the other ban lists very quickly.

      Don’t try to contact 100 people from the same company in 1 day.. you will also get banned or blackholed.

      Don’t just use email… why not write the responses to a log file that can be viewed when logged in and send via social media? (Doubles as advertising)