dave102
By:
dave102

DKIM TXT DNS record mail._domainkey exists but verifier.port25.com says it doesn't

April 23, 2017 193 views
Email DNS

I followed the excellent article: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy to set up DKIM on my server. I created the two TXT records exactly as required. My domain is called realassurance.com. However the authentication check using a test email to: check-auth@verifier.port25.com returns the following in the DKIM section stating that mail.domainkey.realassurance.com doesn't exist (see below), when it does. Having read as many blog articles as I could find about this I have ensured the text is in quotes and I am sure it is not a propagation issue as I used mxtoolbox.com (and other similar online tools) to check for mail.domainkey.realassurance.com which was found as a TXT record ok.

Also I note in the report below, it reports the DNS record as TXT (NXDOMAIN) - whatever that means.

No idea what to do next. Can someone please help?

Dave


DKIM check details:

Result: permerror (key "mail._domainkey.realassurance.com" doesn't exist)
ID(s) verified:
Canonicalized Headers:
to:check-auth@verifier.port25.com'0D''0A'
from:John'20'jdt2@realassurance.com'0D''0A'
subject:test'0D''0A'
date:Sun,'20'23'20'Apr'20'2017'20'15:53:34'20'+0800'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=realassurance.com;'20's=mail;'20't=1492934013;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Subject:Date:From;'20'b=

Canonicalized Body:
'0D''0A'

DNS record(s):
mail._domainkey.realassurance.com. TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

1 Answer

@dave102

When using MXToolbox, I was able to verify the DKIM entry easily. I'm seeing the following:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfWHolALh8Kohz+hSyWWRArUQJbo+lDAKKIUIQ39s3V/AQOO4IcihyF7s8ZFl936NcF6wcpEHXzvnYt5g19+s0VtY8Hc+CM8+a3AC4nz1QuGeitzNDp8f/mNkjZA33k3cnMFj5286Aej/YYsMzMsUQbRzXgYk9MKphJEBAIpYc2wIDAQAB

It is possible that at the time of checking, the DNS entry hadn't fully propagated, thus when they did a check, it failed. On my end, as of this reply, it's showing up and appears valid.

  • Thanks. It was a propagation issue and all works now. The problem was that MXToolbox did find the key yesterday but clearly wherever port25.com is, the propagation had not reached there! I was also fooled as I set up a new url under the same domain (new A record) and I could see it after a few minutes. I suppose that someone in the US or Europe would not have been able to.

    The moral of the story is that you really do need to wait 24 hours or more for full propagation!

    Incidentally, my question was marked as spam for some reason by the DO Community - I would love to know why. It was only "unspammed" after I raised a support ticket.

    This question of spam is a real pain - for example my automated emails from the domain I just amended are STILL going into spam in gmail accounts even though the verification shows spf=pass and dkim=pass. What do you have to do get into gmail?? Funnily enough, loads of real spam seems to get through. So explain that.

    My only solution for a new app I developed is to get all users to mark messages from my domain as "not spam" from Day 1.

    Dave

Have another answer? Share your knowledge.