HOW TO: Easy Set Up DKIM signatures on Hmailserver

[jimimaseye]

This procedure details how easy it is to achieve and how to implement it (in 5 easy steps, and I mean EASY). Other instructions are also available throughout the forum offering similar and different methods. This guide is a simplified yet complete write-up following the easiest method. (Thank you to @Mattg for the initial guidance).

1, CREATE THE KEYS

This step will take you through creating keys using a seemingly trustworthy online key generator. However, for those of a more nervous disposition about security, and who want be in control of creating such keys without the use of the internet (involving downloading of OpenSSL software), then an alternative method for creating the keys can be found here: http://www.dataenter.com/doc/general_domainkeys.htm - then continue to apply the generated key strings accordingly (from step (2) below).

i, Go to https://www.port25.com/support/domainkeysdkim-wizard/

ii, Fill out the form accordingly:

• Domain name of the “From:” header address....: enter your domain (eg, YOURDOMAIN.COM)
  
  DomainKey Selector (e.g., key1): enter "dkim" (without the quotes. We will be referring to this choice of key word later)
  
  Key size in bits: 1024
  
  Note: you may choose 2048bits but this will result in a longer key. However, many DNS servers will not accept the record length of this key as it will be too long and its likely you are unaware of your servers limitation until after you try it. (This happened to me). So I advise to enter just 1024 bit to be sure.

iii, Click 'CREATE KEYS'

2 keys will be generated on screen. The first one will be the PUBLIC KEY:

eg,

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut
3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6
e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFs
wCU/suTcTK0+uMV1ewIDAQAB
-----END PUBLIC KEY-----

2, UPDATE YOUR DNS RECORD WITH THE DKIM KEY

Go to your DNS records portal/administration to amend your domain DNS records and add a TXT record under your domain:

i, Copy the long string of characters that appear between -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY---- (highlighted in bold above) to your clipboard.

ii, Create a TXT record against your domain in DNS with the following entry:

• key: dkim._domainkey.YOURDOMAIN.COM
  
  Note: GoDaddy users may need a shorter version - see here for a users experience.
  
  Value: v=DKIM1; t=s; k=rsa; p=The_Long_String_Of_Text_From_Your_Clipboard_Above
  (ensure the single spaces between parameters are included)

eg,
Value:

v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB

Important Note: if you are using/administering a BIND dns server then the semicolons (';') need to be 'escaped' with a backslash and entered as '\;'

eg, v=DKIM1\; t=s\; ....

iii, Save your new record

iv, You may now test for the DNS record to see if it has been accepted by using online DNS Query facilities such as this one: http://www.dnswatch.info/.

Enter:

• Hostname or IP: dkim._domainkey.YOURDOMAIN.COM
  Type: TXT

The results should now show an entry similar to

dkim._domainkey.YOURDOMAIN.COM.

TXT 300

v=DKIM1;t=s;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB

(note that there is no 'escaped' semicolon - if there is then you should re-enter your DNS record without the backslashed semicolon.)

3, CREATE THE PRIVATE KEY ON YOUR HMAILSERVER

i, Create a blank text file (with Notepad, for example) and paste in the second part of the block (the -----PRIVATE KEY-----) as appears on the website:

eg
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1RKKds55yyGSS/h47+4LMpyz08yqf2zzIS86UYr2KAry1b8Q
+F4Aa03+YA6NZbzWnUepaKVG5Fmd0RxAqbwRCvr/KxoNbs2oHWHR3LaXEsr96zkl
wCV6XxciNDWkC9iDnrCOb8J/ihQM5kUMRJdvYtJMtZivyi7c6DFSN7aMdDO2Vu96
RybbCUSjXxNFFjgE8fY57E7zJFOHPDCxJpfmVDxPKJqHyGpTKDmiywtTMLgH7Nsy
eR2OSn+2tDja6VWvuiq6EfZ5sRWmV2dn0KWVbTSjH74BI9OOPK3LfKQfLQ4iUnPF
Wf7IC29jggKg/PBMuXcp5qo5ZIFy5f8Z1SZgD+kpgGkxw42bJl7olaFRayu5rJH8
Fa6a99Y5/i7EI9jYas7WHP0lxM6rZlUyWE4pB5DPRDqDCbesuEV5DmHROVlfSgpH
sHaeNGbfHCYDngg5KvAUxLECgYEAnh+c5HHm4X13JSsm6ScBQW7HDB0fNP7W13iS
Petie/HsQE+0xgDEKfGm/DgAAIErTz6pfjpXX9dQs/O+aY5LNh0PTduO+g2fS0qy
bwu4VU9vSu1WFMWS+fLCSBpePRiWjCRN5uDH7ZQUOqu0WVEN3Y1k43uTiFUgvppr
TRQOyB0CgYBU9Pl2tMVV02pnZeZGsYv7RykMJ4xhD9urVxtMCI76H6xHAbJcnXy0
NMXqxfK5iAJFR1ffkAIti/v6dUlgg+4sCJExJFmawpe0PV/mARrHLkSCcHxTvnS0
sGqiP8TQKVRCvkwOhp/dgabfNoiOE3QWAzpngZLjfeoH0P+SYaBN/g==
-----END RSA PRIVATE KEY-----

ii, Save this file as "dkim.YOURDOMAIN.COM.pem".

I recommend saving this file in to the DOMAIN folder off the root of your data directory (where the email files are held in sub folders).

eg d:\pathto\HMSdatafolder\YOURDOMAIN.COM\dkim.YOURDOMAIN.COM.pem

This way the the domain specific key will be saved with your data backups and thus avoiding configuration problems on restore.


4, CONFIGURE HMAILSERVER

i, In Hmailserver admin go to: DOMAINS - 'mydomain.com' - "DKIM Signing"

• Tick 'Enabled'
  
  Private Key File: browse and point to dkim.YOURDOMAIN.COM.pem as saved in step (3ii)
  eg, d:\pathto\HMSdatafolder\YOURDOMAIN.COM)
  
  Selector: "dkim"
  
  Header method: relaxed
  
  Body method: relaxed
  
  Signing algorithm: SHA256

Click SAVE.

5, TEST

Send an email to an external address that you can receive and view (eg, a Gmail, Yahoo etc address). Upon receiving it, use your portal/email client functions to view the "Message Source" or 'full headers'. Within the headers there should be something like:

Authentication-Results: mta1323.mail.ne1.yahoo.com from=MYDOMAIN.COM; domainkeys=neutral (no sig); from=MYDOMAIN.COM; dkim=pass (ok)

Further down in the headers where your Hmailserver initially starts the delivery, there should be a 'received' header similar to:

Received: from 127.0.0.1 (EHLO mail.mydomain.com) (123.45.67.89)
by mta1323.mail.ne1.yahoo.com with SMTPS; Wed, 16 Mar 2016 09:13:38 +0000
dkim-signature: v=1; a=rsa-sha256; d=mydomain.com; s=dkim;
c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
bh=pVMggf6ACj7Jh1zg8lMTWup8MzcMJg8v5gp1MijD6II=;
b=d+w4QzQFvsLa7Jt0gUoqI+Eu4X8QudR/HcxtxL0e/oloZWD9K1ZdmOVYEWZVYE3RvfvuosFlZ0DTQvF3Ok17yYEqkqeoyoSmp8BEUYEuRmTYELDrDe1ooYyVBdQHOFZqVMZLqMPgETYEhs1EEy4e3lEorEZ0R51wLSDY1PMbkK25XtxBs

If you have the DKIM signature, and you have the DKIM=PASS in the "Authentication Results" header, then youre done!

Take note: A user once reported that adding a signature (in Hmailserver) was breaking his DKIM validation for http://dkimvalidator.com/ and therefore possibly for some receiving mail servers whilst it was passing for others (GMail,Yahoo etc passed the DKIM). Its worth reading his cause and conclusion here: https://www.hmailserver.com/forum/viewt ... 85#p200485 to show how to prevent this problem with signatures.

Warning:

I have DKIM set up (as per the above instructions) and receive a "DKIM=PASS" on all tests with online DKIM/email checkers and email providers I try....that is all EXCEPT Microsoft's Outlook/Hotmail! (surprise surprise). Even when the same email is CC'd to Hotmail and a Yahoo addresses (for example), or even have Hotmail accept it and forward it on to a Yahoo address, only the Microsoft servers chooses to fail and continue to issue 'dkim=fail' (and they are still unable to explain why.) Despite this, and probably because of our domains 'good reputation' and SPF records, it doesnt affect delivery of our emails to their INBOX. But you should be aware and maybe check/test yourself to determine what the results are for your domain when sending to an Outlook/hotmail address. If you do suffer from Microsoft-run email services from JUNKing your emails, then read this article (with direct link) for explanations and possible options: https://www.hmailserver.com/forum/viewt ... 21#p184321.

EDIT: MICROSOFT ALSO GIVES A DKIM=PASS: A few days later after the initial implementation and results above, I did further tests. Microsoft servers give DKIM=FAIL if the BODY of your text is blank - if the body is not blank (which is normally the case in most emails) then they also gave DKIM=PASS. This was true for both plain text and html/richtext email bodies. (My initial test emails just contained recipient address and a subject (eg "test 1") and didnt have a body text.). Phew. Wierd, but phew!

[Dravion]

Great work!

[modiX]

Ok I could not resist and tried this.

The dkim signature got attached, but in the top of the mail behind Authentication-Results it's not "dkim=pass", it's "dkim=permerror header.d=***.com".

What does this mean? The signature below looks right to me.

[jimimaseye]

You must have mistyped/misread/mishandled some of the data somehow and perhaps not set the dns record correctly. Let me know your domain so we can check. (Also, stop and restart your hmailserver service to be sure)

[mattg]

One note of caution...

(I told jimimaseye about the port25 dkim certificate creator)

I have no reason to suspect port25 of anything unusual, in fact the exact opposite. They appear to be very genuine.
Their privacy policy is here >> https://www.port25.com/privacy-policy/
And it says in part

After a transaction, your private information (credit cards, social security numbers, financials, etc.) will be kept on file for more than 60 days in order to keep you updated on software enhancements..

This a very short time frame and is great.

My note of caution is that with ANY online service there is a risk that you could be giving your information to the bad guys.
This could be a problem if you ONLY used DKIM. It could mean that a website with DKIM certificate and key, could generate mail that pretends to be from you.

A solution is to use DKIM as PART of your mail security setup.
Also use SPF records that end in '-all'
Look at other security solutions as thy evolve.

[modiX]

You must have mistyped/misread/mishandled some of the data somehow and perhaps not set the dns record correctly. Let me know your domain so we can check. (Also, stop and restart your hmailserver service to be sure)

Thank you for your PM. The DNS record was not stored correctly. Now it's working and the email got "dkim=pass" in the header.

Now my question is, how can the receiver know the mail is not modified?
I mean, the Receiver server or client has to check the DKIM, but I don't believe every client/server is doing this when receiving a mail.

[jimimaseye]

Mail servers check the dkim signature that you have encoded in the email matches ITS results when it does the same (with your DKIM key as found in your DNS record). If the results are not identical then one of the fields used for generating the signature (which are listed in the header) must have been changed and they would get DKIM=FAIL. Then their server would score it/move it to spam folders according to their own implementation of risk handling.

Of course, no, there is no saying that all servers perform DKIM verification, but the main ones do (I would think anyone that you are sending to will support it).

Now to do your SPF. (See my PM).

[mattg]

Now my question is, how can the receiver know the mail is not modified?

DKIM shows that there have been no changes between the mailservers. Even then this rarely used for anything other spam scoring, and the user is rarely notified if the DKIM is incorrect, other than a header in a SPAM marked email.
Who reads headers anyway other than us nerds?

To show no changes since since the authoring mail client, you need to investigate Message digital signatures.
This (like Message level encryption) is handles by mail clients

Mail clients need to share public keys (in a secure way, not via another email)
Then the sending client can digitally sign AND/OR encrypt the message with their private key
The receiving client can confirm digital signatures, and de-encrypt messages using the public key

public and private keys needs to generated first, and you need to trust the authority / entity that generates the keys to properly identify the sender, and you need to trust the communication channel by which these were sent

digital signatures and DKIM alone DO NOT PREVENT THE MESSAGE FROM BEING VIEWED or copied in transit
Message encryption is the ONLY way to achieve this, even then, still perhaps not.

I am told that when security agencies at friendly nations exchange email, that they:-
- Sign with keys physically handed from one trusted agent to another
- Encrypt with a different key, physically handed between two other trusted agents
- Encrypt a VPN tunnel before doing anything
- send the encrypted message down the encrypted VPN, inside a SSL secured connection
- use each code ONLY once
- EXPECT THAT THE MESSAGE HAS BEEN COMPROMISED anyway

[neo]

One note of caution...

(I told jimimaseye about the port25 dkim certificate creator)

I have no reason to suspect port25 of anything unusual, in fact the exact opposite. They appear to be very genuine.
Their privacy policy is here >> https://www.port25.com/privacy-policy/
And it says in part

After a transaction, your private information (credit cards, social security numbers, financials, etc.) will be kept on file for more than 60 days in order to keep you updated on software enhancements..

This a very short time frame and is great.

My note of caution is that with ANY online service there is a risk that you could be giving your information to the bad guys.
This could be a problem if you ONLY used DKIM. It could mean that a website with DKIM certificate and key, could generate mail that pretends to be from you.

A solution is to use DKIM as PART of your mail security setup.
Also use SPF records that end in '-all'
Look at other security solutions as thy evolve.

Hi,

You can generate your own RSA key (domainkey) using OpenSSL.
Download it and follow the instruction gave in:
http://www.dataenter.com/doc/general_domainkeys.htm

Sincerely,

[jimimaseye]

Hi,

You can generate your own RSA key (domainkey) using OpenSSL.
Download it and follow the instruction gave in:
http://www.dataenter.com/doc/general_domainkeys.htm

Sincerely,

Thanks Neo, thats good to know.

I have updated my tutorial to reflect this suggestion.

[wctsang]

Dear Jimimaseye,

My name is WC Tsang. I live in Hong Kong. I am a very green hand to server settings. I tried very hard these few days in setting up an hmailserver with DKIM feature running on my PC at home. I followed every steps in your essay posted in March last year. However, no matter how hard I tried, I kept on receiving the following error message in the log file:

"ERROR" 2780 "2017-01-17 22:07:33.991" "Severity: 3 (Medium), Code: HM5310, Source: DKIM::SignHash_, Description: Unable to parse the private key file."
"ERROR" 2780 "2017-01-17 22:07:34.007" "Severity: 3 (Medium), Code: HM5308, Source: DKIM::Sign, Description: Failed to create siganture."
"ERROR" 2780 "2017-01-17 22:07:34.022" "Severity: 3 (Medium), Code: HM5306, Source: DKIMSigner::Sign, Description: Message signing using DKIM failed."

I don't know what has gone wrong. Would you mind giving me some hints to solve the problem ?

Best regards,
WC Tsang

[mattg]

I'd bet that the private key file is not accessible to the user that the hMailserver service runs under (typically local system), ie I think that your key file is not installed on a local hard drive where your hMailserver is installed.

If it is, check the file permissions for that file

[wctsang]

Dear Mattg,

Thank you for your information. I did aware of this problem. As I learned in some other essays, I put the private key file under the data directory of hmailserver:

C:\Program Files (x86)\hMailServer\Data\wctsang.online\dkim.wctsang.online.pem

If the hmailserver could access to the data directory, I thought it could access the private key in the same folder as well. However, this combination was just not working. There are five parties who have access right to the private key file:

System
Administrators
All application packages
All restricted application packages (I am not sure if this is correct as it is translated from Chinese)
Users

The first two parties have full control right while the rest have only read and execute right.

May I ask what party I need to add and what right should be assigned before the hmailserver can access my private key file. Hope that you can spend a little time to help me.

Best regards,
W.C. Tsang

[mattg]

What user does the hMailserver SERVICE run under?

[wctsang]

Dear Mattg,

I logged in the computer by using my email address as User Name and the associated password. I gave this User a full control right to access all files under the hmailserver directory. After that, I started the hmailserver administrator and try to send an email from the mail@wctsang.online to my gmail account through the server. The same error was found in the log file as shown below:

"ERROR" 2784 "2017-01-19 20:09:23.650" "Severity: 3 (Medium), Code: HM5310, Source: DKIM::SignHash_, Description: Unable to parse the private key file."
"ERROR" 2784 "2017-01-19 20:09:23.650" "Severity: 3 (Medium), Code: HM5308, Source: DKIM::Sign, Description: Failed to create siganture."
"ERROR" 2784 "2017-01-19 20:09:23.650" "Severity: 3 (Medium), Code: HM5306, Source: DKIMSigner::Sign, Description: Message signing using DKIM failed."

Is there some other area which I need to check ?

Best regards,
W.C. Tsang

[jimimaseye]

You have misunderstood Mattg's question.

What windows account does your Hmailserver SERVICE run under ("SYSTEM", "LOCAL SERVICE", ...?) Look under your system PROCESSES. That is the windows user/account that the directories need to have access to.

[wctsang]

Dear Jimimaseye,

Thank you for your clarification on Mattg's question. As I mentioned before, I am a very green hand in setting a server. Sorry that I even don't understand your hints.

I checked the service list in my computer. I found the the service hMailAdmin.exe is run under the username WCT with a description of Administrator. The service hMailServer.exe is run under SYSTEM with a description of hMailServer.

I assigned a full control right to both of the users to access my private key, but the problem persists. The log file is shown below:

"DEBUG" 2864 "2017-01-21 00:00:04.834" "SMTPDeliverer - Message 94 - Connection failed: Host name: 74.125.203.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:00:04.834" "Ending session 540"
"DEBUG" 2768 "2017-01-21 00:00:04.849" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:00:04.849" "Starting external delivery process. Server: alt1.gmail-smtp-in.l.google.com (209.85.235.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:00:04.865" "Creating session 541"
"TCPIP" 2768 "2017-01-21 00:00:04.865" "Connecting to 209.85.235.27:25..."
"DEBUG" 2864 "2017-01-21 00:00:25.908" "SMTPDeliverer - Message 94 - Connection failed: Host name: 209.85.235.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:00:25.908" "Ending session 541"
"DEBUG" 2768 "2017-01-21 00:00:25.923" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:00:25.923" "Starting external delivery process. Server: alt2.gmail-smtp-in.l.google.com (74.125.69.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:00:25.939" "Creating session 542"
"TCPIP" 2768 "2017-01-21 00:00:25.939" "Connecting to 74.125.69.27:25..."
"DEBUG" 2864 "2017-01-21 00:00:46.982" "SMTPDeliverer - Message 94 - Connection failed: Host name: 74.125.69.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:00:46.982" "Ending session 542"
"DEBUG" 2768 "2017-01-21 00:00:46.997" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:00:46.997" "Starting external delivery process. Server: alt3.gmail-smtp-in.l.google.com (173.194.219.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:00:47.013" "Creating session 543"
"TCPIP" 2768 "2017-01-21 00:00:47.013" "Connecting to 173.194.219.27:25..."
"DEBUG" 2864 "2017-01-21 00:01:08.056" "SMTPDeliverer - Message 94 - Connection failed: Host name: 173.194.219.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:01:08.056" "Ending session 543"
"DEBUG" 2768 "2017-01-21 00:01:08.071" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:01:08.071" "Starting external delivery process. Server: alt4.gmail-smtp-in.l.google.com (209.85.144.26), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:01:08.087" "Creating session 544"
"TCPIP" 2768 "2017-01-21 00:01:08.087" "Connecting to 209.85.144.26:25..."
"DEBUG" 2864 "2017-01-21 00:01:29.130" "SMTPDeliverer - Message 94 - Connection failed: Host name: 209.85.144.26, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:01:29.130" "Ending session 544"
"DEBUG" 2768 "2017-01-21 00:01:29.145" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:01:29.145" "Summarizing delivery result"
"DEBUG" 2768 "2017-01-21 00:01:29.161" "Summarized delivery results"
"DEBUG" 2768 "2017-01-21 00:01:29.161" "SD::RescheduleDelivery_"
"DEBUG" 2768 "2017-01-21 00:01:29.180" "Retrieving retry options."
"DEBUG" 2768 "2017-01-21 00:01:29.182" "Starting rescheduling."
"APPLICATION" 2768 "2017-01-21 00:01:29.182" "SMTPDeliverer - Message 94: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG" 2768 "2017-01-21 00:01:29.182" "PersistentMessage::SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:01:29.198" "PersistentMessage::~SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:01:29.198" "Message rescheduled for later delivery."
"APPLICATION" 2768 "2017-01-21 00:01:29.198" "SMTPDeliverer - Message 94: Message delivery thread completed."
"DEBUG" 2912 "2017-01-21 00:04:28.594" "Creating session 545"
"TCPIP" 2912 "2017-01-21 00:04:28.607" "TCP - 209.85.214.52 connected to 192.168.0.109:25."
"DEBUG" 2912 "2017-01-21 00:04:28.613" "TCP connection started for session 539"
"SMTPD" 2912 539 "2017-01-21 00:04:28.628" "209.85.214.52" "SENT: 220 DESKTOP-67DITK8 ESMTP"
"SMTPD" 2876 539 "2017-01-21 00:04:28.807" "209.85.214.52" "RECEIVED: EHLO mail-it0-f52.google.com"
"SMTPD" 2876 539 "2017-01-21 00:04:28.823" "209.85.214.52" "SENT: 250-DESKTOP-67DITK8[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD" 2864 539 "2017-01-21 00:04:29.007" "209.85.214.52" "RECEIVED: AUTH PLAIN AG1haWxAd2N0c2FuZy5vbmxpbmUARmF0ZmF0ZG9nMjAwMyE="
"SMTPD" 2864 539 "2017-01-21 00:04:29.023" "209.85.214.52" "SENT: 235 authenticated."
"SMTPD" 2912 539 "2017-01-21 00:04:29.207" "209.85.214.52" "RECEIVED: MAIL FROM:<mail@wctsang.online> SIZE=1085"
"SMTPD" 2912 539 "2017-01-21 00:04:29.223" "209.85.214.52" "SENT: 250 OK"
"SMTPD" 2860 539 "2017-01-21 00:04:29.417" "209.85.214.52" "RECEIVED: RCPT TO:<wctsang2011@gmail.com>"
"SMTPD" 2860 539 "2017-01-21 00:04:29.434" "209.85.214.52" "SENT: 250 OK"
"SMTPD" 2864 539 "2017-01-21 00:04:29.612" "209.85.214.52" "RECEIVED: DATA"
"SMTPD" 2864 539 "2017-01-21 00:04:29.627" "209.85.214.52" "SENT: 354 OK, send."
"DEBUG" 2860 "2017-01-21 00:04:29.827" "Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG" 2724 "2017-01-21 00:04:29.827" "Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG" 2724 "2017-01-21 00:04:29.849" "Saving message: {9F027F91-CE9D-4539-9BE7-544EE5BE05A0}.eml"
"DEBUG" 2724 "2017-01-21 00:04:29.865" "Requesting SMTPDeliveryManager to start message delivery"
"SMTPD" 2724 539 "2017-01-21 00:04:29.865" "209.85.214.52" "SENT: 250 Queued (0.224 seconds)"
"DEBUG" 2748 "2017-01-21 00:04:29.881" "Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG" 2768 "2017-01-21 00:04:29.881" "Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG" 2768 "2017-01-21 00:04:29.896" "Delivering message..."
"APPLICATION" 2768 "2017-01-21 00:04:29.896" "SMTPDeliverer - Message 95: Delivering message from mail@wctsang.online to wctsang2011@gmail.com. File: C:\Program Files (x86)\hMailServer\Data\{9F027F91-CE9D-4539-9BE7-544EE5BE05A0}.eml"
"DEBUG" 2768 "2017-01-21 00:04:29.912" "Applying rules"
"DEBUG" 2768 "2017-01-21 00:04:29.912" "Performing local delivery"
"DEBUG" 2768 "2017-01-21 00:04:29.912" "Local delivery completed"
"DEBUG" 2768 "2017-01-21 00:04:29.928" "Signing message using DKIM..."
"ERROR" 2768 "2017-01-21 00:04:29.928" "Severity: 3 (Medium), Code: HM5310, Source: DKIM::SignHash_, Description: Unable to parse the private key file."
"ERROR" 2768 "2017-01-21 00:04:29.928" "Severity: 3 (Medium), Code: HM5308, Source: DKIM::Sign, Description: Failed to create siganture."
"ERROR" 2768 "2017-01-21 00:04:29.944" "Severity: 3 (Medium), Code: HM5306, Source: DKIMSigner::Sign, Description: Message signing using DKIM failed."
"TCPIP" 2768 "2017-01-21 00:04:29.950" "DNS MX lookup: gmail.com"
"TCPIP" 2768 "2017-01-21 00:04:29.997" "DNS - MX Result: 5 IP addresses were found."
"DEBUG" 2768 "2017-01-21 00:04:30.012" "Starting external delivery process. Server: gmail-smtp-in.l.google.com (74.125.203.26), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:04:30.028" "Creating session 546"
"TCPIP" 2768 "2017-01-21 00:04:30.049" "Connecting to 74.125.203.26:25..."
"SMTPD" 2912 539 "2017-01-21 00:04:30.049" "209.85.214.52" "RECEIVED: QUIT"
"SMTPD" 2912 539 "2017-01-21 00:04:30.065" "209.85.214.52" "SENT: 221 goodbye"
"DEBUG" 2864 "2017-01-21 00:04:30.065" "Ending session 539"
"DEBUG" 2864 "2017-01-21 00:04:51.103" "SMTPDeliverer - Message 95 - Connection failed: Host name: 74.125.203.26, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:04:51.103" "Ending session 546"
"DEBUG" 2768 "2017-01-21 00:04:51.123" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:04:51.124" "Starting external delivery process. Server: alt1.gmail-smtp-in.l.google.com (209.85.235.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:04:51.140" "Creating session 547"
"TCPIP" 2768 "2017-01-21 00:04:51.156" "Connecting to 209.85.235.27:25..."
"DEBUG" 2864 "2017-01-21 00:05:12.176" "SMTPDeliverer - Message 95 - Connection failed: Host name: 209.85.235.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:05:12.176" "Ending session 547"
"DEBUG" 2768 "2017-01-21 00:05:12.176" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:05:12.176" "Starting external delivery process. Server: alt2.gmail-smtp-in.l.google.com (74.125.69.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:05:12.195" "Creating session 548"
"TCPIP" 2768 "2017-01-21 00:05:12.198" "Connecting to 74.125.69.27:25..."
"DEBUG" 2864 "2017-01-21 00:05:33.216" "SMTPDeliverer - Message 95 - Connection failed: Host name: 74.125.69.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:05:33.223" "Ending session 548"
"DEBUG" 2768 "2017-01-21 00:05:33.223" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:05:33.238" "Starting external delivery process. Server: alt3.gmail-smtp-in.l.google.com (173.194.219.26), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:05:33.254" "Creating session 549"
"TCPIP" 2768 "2017-01-21 00:05:33.254" "Connecting to 173.194.219.26:25..."
"DEBUG" 2864 "2017-01-21 00:05:54.294" "SMTPDeliverer - Message 95 - Connection failed: Host name: 173.194.219.26, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:05:54.294" "Ending session 549"
"DEBUG" 2768 "2017-01-21 00:05:54.310" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:05:54.310" "Starting external delivery process. Server: alt4.gmail-smtp-in.l.google.com (209.85.144.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:05:54.329" "Creating session 550"
"TCPIP" 2768 "2017-01-21 00:05:54.329" "Connecting to 209.85.144.27:25..."
"DEBUG" 2864 "2017-01-21 00:06:15.351" "SMTPDeliverer - Message 95 - Connection failed: Host name: 209.85.144.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:06:15.351" "Ending session 550"
"DEBUG" 2768 "2017-01-21 00:06:15.367" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:06:15.383" "Summarizing delivery result"
"DEBUG" 2768 "2017-01-21 00:06:15.383" "Summarized delivery result"
"DEBUG" 2768 "2017-01-21 00:06:15.383" "SD::RescheduleDelivery_"
"DEBUG" 2768 "2017-01-21 00:06:15.398" "Retrieving retry options."
"DEBUG" 2768 "2017-01-21 00:06:15.398" "Starting rescheduling."
"APPLICATION" 2768 "2017-01-21 00:06:15.414" "SMTPDeliverer - Message 95: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG" 2768 "2017-01-21 00:06:15.414" "PersistentMessage::SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:06:15.414" "PersistentMessage::~SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:06:15.414" "Message rescheduled for later delivery."
"APPLICATION" 2768 "2017-01-21 00:06:15.432" "SMTPDeliverer - Message 95: Message delivery thread completed."

I appreciate if you can give me some guidance. Should it be too troublesome for you to look into the problem for me, I would understand if you stop here. I would not be too disappointed if I fail to set up the mail server. Thank you for your help and Mattg's help.

Best regards,
W.C. Tsang

[jimimaseye]

I suggest you remove the certificate setting and go through the process from the start being careful to follow it carefully. You either have the individual files incorrectly formatted, you have not set the parameters right (or you have the permissions incorrectly set ).

[Dravion]

This Guide works partwise for me:

Used DNS-Server: Bind9 64-Bit on Windows 10 x64

DKIM TXT Record is valid and properly configured, see dig diag output:

C:\>dig incubator.net.projects._domainkey.incubator.net.projects TXT

; <<>> DiG 9.10.4-P2 <<>> incubator.net.projects._domainkey.incubator.net.projects TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;incubator.net.projects._domainkey.incubator.net.projects. IN TXT

;; AUTHORITY SECTION:
incubator.net.projects. 86400 IN SOA ns01.incubator.net.projects. hostmaster.incubator.net.projects. 2003080869 28800 7200 2419200 86400

;; Query time: 1 msec
;; SERVER: 194.241.203.104#53(194.241.203.104)
;; WHEN: Sun Mar 19 06:57:41 W. Europe Standard Time 2017
;; MSG SIZE rcvd: 137

But:
In Thunderbird no DKIM Headers are shown. hMailServer logs doesnt list any Error. The private key DKIM key in use is pointing to: C:\Program Files x86)\hMailServer\Data\incubator.net.projects\dkim.incubator.net.projects.pem

This is a test private key, no production domain so this private key can be published:

File: dkim.incubator.net.projects.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAmpUvH5OGlNyd4aKZSjohqfXrpgBaJq1syCmDbSZqYiUqX4nu
LiDf6bXpQmI/3/T57nf5N83c+hLCiQvalBX9dlFP02SWTR3Z3rMhXO8ctvK89qsj
FRkg/gYBWEKTttVQdi/ASeDw9ekDtuh2j2JwOoGnpxjyHlQB0WuVErS51GqZlnyE
tFlR2vu1DGTGSYXJSYaAHlhqujCC0OYCOzBNH1jt9F0HhY3GPBguj8ar1aHJxLd8
W3wCw1bvkWDgB3Jaspwy5wTnh9cbwknJmgyRqi4ms18NHXJkXfEDU+7CFWtLAGsV
Y06kE2myC3/ubWJeGfDNzp8eJFhRMiFMFsAdYwIDAQABAoIBAEqc8YbrPU2DA03S
nuzeDDuuMNUKXHlIwjYHG6HGphjDWaWNvQJU6d8z5+gb5jriUvTQweE2o4+tGGrv
5swNpS7D5qTha07DttKwYc0quRBxL9ZcGm3nmC4kleeVExlv8wto1waR5Zy8oQdb
Q0bIO+VxiYu1FcCfydTcebLyurOVFIcRziJ4SJlJe+GZ23xKBbuJ0VnKivjxPyG8
kpFgAcThy3jH4oAI1xK25383giuS7GNklaFFYlHZnmfXIDULYn/UMIWcLtpRyWlm
n+yA+mvWHnzQSJkl6V9G741qJTG0Q2DFt1HCgsczy3mYLKEKvap21WQVn/8dIvMV
f1ZzC4ECgYEAyg99FGQfAsRgN0F39NA3T8tOiGaskm/8VHW1C1p/Atvsgp4Z8XRC
2aa4lvDGcklFodrOCV/w2FL3eukIHTY/fhla/xaGCMLoltG7eXQdSbfKbEuKSfIV
gy8z5fVXkNmAHuF1h2RXiIN2sihYFl5FxW7DOweWNu7ZMPHbhu57nCMCgYEAw9kj
HkhLHf4gPppxcU5F3yqn5nd87sixWAzvpyO+tPGZwJs1vzll3UBPXU2kziPIrDqK
dJxETOFM7d45cQFrQZIq/BrpUb92wYNLZijbY7b74vm0uDdgYz+uvkatxC9B/cwg
5BVeF6wG0kwfTeN/HNCHyP3tnyLwTbDAPk6h7cECgYB1nCJPth8euzLNtrudsXwg
Y9PoLOsRqUET4Bdq7lezUFMPi/rJwcQPb61NngPEDcYL+ZGnf0Juh4wo7G6eoi6+
tP90LqYBf4FmF9mpTd6mQ+X8ttNdSx0eaGEq3m0DkLW0Q8Lm9Y7FlM+Hz1fGXUT7
MAdO2pGik8+zX3NJzJICRQKBgQCvlMTySjfmDMXVulrIDTeBKtnaOfeskArGeNqG
SvqXeB6y2bOm24uifxxn9ssw8E3hcp5cixiEoFx6yQdQc8g3whZ9bJcO7gtG1DHN
xgVicVODmwDVQvhMInTEK9NvljqgkdhPA4UWzehTs2FBUBrOt3l0zYqyZ/1ueW7w
rUhpQQKBgQCIQRQQUBfbpIJ7a6nza8+Pygojq+BPZJXgHcH4CjhkNnmeXDLRSEao
qWojUMwgOHTe4GmCSwxsPkp2hygDSUPBWJ79oCZoIvSxaUtul6BDY/EfXIvYEVCp
unFN4ENy2tFcelPyFmenfymSQ7yMn26jMpdCmtVvmQQdmPBIojNsdQ==
-----END RSA PRIVATE KEY-----

Strange..
If i check it against my postfix smtp server it looks a bit diffrent in tb

Return-Path: <dravion@ht-foss.net>
X-Original-To: dravion@ht-foss.net
Delivered-To: dravion@ht-foss.net
Received: from [194.241.x.x] (ipservice-x-x-x-x.x.x.pools.vodafone-ip.de [92.x.x.x])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by mail.ht-foss.net (Postfix) with ESMTPSA id E12095FBC1
for <dravion@ht-foss.net>; Sun, 19 Mar 2017 07:48:27 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ht-foss.net E12095FBC1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ht-foss.net;
s=default; t=1489906107;
bh=d7CQacLKD150owFlBotSe5qZaRCEb86xnQ+sdzOnRBI=;
h=Reply-To:To:From:Subject:Date:From;
b=exNQCbkU1dTQgI4amaeX/6kbTHWv6bJi+lX/1bMQWltOkDd3II5pDV4M/1ILis+Ux
F46KMV/bDUGa//PU919/G6B473zTcaczZw6FqPhKQi1roYf/o/Dwi9cqxZpKruYScP
F5am4E/+Zp0CMN1H4rUVDOnTbjJq1vmxnfyr1kog=
Reply-To: dravion@ht-foss.net
To: "dravion@ht-foss.net" <dravion@ht-foss.net>
From: "dravion@ht-foss.net" <dravion@ht-foss.net>
Subject: DKIM-Production Server (Postfix) TestSubject
Organization: dravion@ht-foss.net
Message-ID: <ffeefc41-9000-c376-ae28-ceaa6716f609@ht-foss.net>
Date: Sun, 19 Mar 2017 07:48:23 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-EsetId: 37303A29335C9C6A627366

DKIM-Production Server (Postfix) TestBody

[jimimaseye]

; <<>> DiG 9.10.4-P2 <<>> incubator.net.projects._domainkey.incubator.net.projects TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;incubator.net.projects._domainkey.incubator.net.projects. IN TXT

;; AUTHORITY SECTION:
incubator.net.projects. 86400 IN SOA ns01.incubator.net.projects. hostmaster.incubator.net.projects. 2003080869 28800 7200 2419200 86400

;; Query time: 1 msec
;; SERVER: 194.241.203.104#53(194.241.203.104)
;; WHEN: Sun Mar 19 06:57:41 W. Europe Standard Time 2017
;; MSG SIZE rcvd: 137

So where is the output showing the DKIM record? (It says " ANSWER: 0".) It should show the record :

eg

"v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUujv4GC5tQ65WcHAdeOY2PdSL7mrRUdvV7r0xWmbltLvVXeSU7WQvIwDhJO8YkJkY1HhVkAeAX6XMhf3UQVvO1Sbq46fyvKgjXXyb+qQ+b622k3ijwhJ7Lj478xk8cXShky3Gs7dopul+IG7ap+OAzdot/rFVIjkzby1osPLLvQIDAQAB"

Did you note the warning in Step 2?

Important Note: if you are using/administering a BIND dns server then the semicolons (';') need to be 'escaped' with a backslash and entered as '\;'

[Dravion]

Of cause.

If you use a wrong quotation in bind it simply doesnt load the entire zone file.
The DKIM PublicKey TXT entry can be accessed via DIG and HOST query (see above)

[jimimaseye]

The DKIM PublicKey TXT entry can be accessed via DIG and HOST query (see above)

When I use google's DIG to view my record in shows as:

id 29855
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
dkim._domainkey.mydomain.co.uk. IN TXT
;ANSWER
dkim._domainkey.mydomain.com. 299 IN TXT "v=DKIM1; t=s; k=rsa; p=PQGMA0GCSqGSIb3DQEBAQUAA4FGHYCBiQKBgQDUujv4GC5tQ65WcHAdeOY2PdSL7mrRUdvV7r0xWmbltLvVXeSU7WQvIwDhJO8YkJkY1HhVkAeAX6XMhf3UQVvO1DFq46fyvKgjXXyb+qQ+b622k3ijwhJ7Lj478xk8cXShky3Gs7dopul+IG7ap+OAzdot/rFVIjkzby1osPLLvQIDAQAB"
;AUTHORITY
;ADDITIONAL

That looks a different output to yours (I cant see your Dkim record output as the answer).

[stan2020]

The tutorial works great, but you have to be careful with copy-and-pasting the public key into the TXT record.

When I pasted my public key from port25.com into a new TXT field, some extra spaces were added in the key. The extra spaces were added where there was a new line in the public key, however there should be no spaces and all of the public key should be on 1 line. I am using Namecheap.

You can test if your DKIM record is set - here: https://mxtoolbox.com/dkim.aspx and here https://www.mail-tester.com

[ucevista]

Hi friends.

I followed tis tutorial for two domains, one for testing and one for production, and all was fine except qhen I tried to validate el DKIM at dkimvalidator.com, always the probles was "no public key" but it was ok when I search for it with dnswatch.info. What was happening? Me! I have not interpreted so well this line of this guide:

key: dkim._domainkey.YOURDOMAIN.COM

Value: v=DKIM1; t=s; k=rsa; p=The_Long_String_Of_Text_From_Your_Clipboard_Above
(ensure the single spaces between parameters are included)

I made the dns record with ky1 as key (instead dkim as suggested) and I wrote:

key: dkim._ke1.YOURDOMAIN.COM

and that's incorrect. The word "domainkey" has to be as is in the DNS record. The only thing you have to change and it must match with the selector you have used at port25.com and at the text field "selector" of DKIM configuration of HMS is the first one of the line, the one I marked in bold before (in this case, dkim).

I post this for information and help for someone that may have the same problem as me.

Thanks a lot for this tutorial, is great!!!

[jimimaseye]

My instructions reflect what is required - no 'alternative' rework of instructions or explanation is required. (You have effectively said the same thing after initially doing something wrong and then correcting yourself.)

[Luket]

Thanks a lot. Cristal clear !

[andrew.concord]

Hi,

I use hMailServer to send mail.
The email is prepared by another windows application, this app then sends it to the local ip address where i have hMailserver installed and hMailserver actually sends it out (not relaying to another smtp server, it sends it).

This works perfectly.

I added a DKIM signature as per the instructions (e.g. for myactualdomain.com) then sent a test to mail.tester.com, it worked perfectly, my mail score increased .

However, I later realised that any mail to someone@myactualdomain.com was no longer being sent, hMailserver was rejecting it with a 550 Unknown user, I tried adding an account under the domain tab for someone@myactualdomain.com, but that appears to have stopped the mail going out, it looks to be storing locally in hMailserver now.

I don't want hMailserver receiving mail for ...@myactualdomain.com I want all mail sent out to the recipient, can I have all sent mail DKIM signed?
If so, how?

[mattg]

Add an SMTP route for 'myactualdomain.com' pointing to the externally server that actually hosts that domain

[andrew.concord]

Perfect, thanks!

[glue]

Thanks, really easy to setup and get running

just a questing bout the txt record why have t=s
is that just a for testing and should be removed of should i leave it with it

[mattg]

I think that the t=s is required when you are NOT testing, and that it stipulates that a sub-domain won't have the same DKIM key

http://dkim.org/specs/rfc4871-dkimbase.html
3.6.1 & 7.8

I think that says that t=y would indicate testing

Mine passes all validation tests etc with t=s

[glue]

oh yah, your correct thank you

[mlgt]

This still works great guys

I've just add DKIM to my hmailserver and gmail accepted my signature OK
Had some issues and doubts but finally got the "SIGNED BY: mydoomain.com" IN ALL my emails

Thanks a lot

[jtreml272]

Hi guys,

i have followed this tutorial but, I am still not able to make it work. I am getting this error. Any advise please?

Thanks you in advance

josef

Code: Select all

DKIM Information:
DKIM Signature

Message contains this DKIM Signature:


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          treml.org
s= Selector:        dkim
q= Protocol:        dns/txt
bh=                 JOUgfYHbw3QW/Gs7RHp/R5KX7j8765pioFHLSiqzdR0=
h= Signed Headers:  From:Reply-To:Subject:Date:Message-ID:To:MIME-Version:Content-Type
b= Data:            ZwsWvnpXY7UVN9jMDGuVyQzqo0rjTNjLscoph92b7rCNbK4+G+OjslMscLoN5vATPjrMfUu7VEZmqCkVwnO5CzpKnqp80jXd+2PsOUZ7017yiZW1A01HNfsBj8tO+tPNU5S3IE5wQL4T+l5tY+pfbSkdMwFTm8OUS5kQ93rWizg=
Public Key DNS Lookup

Building DNS Query for dkim._domainkey.treml.org
Retrieved this publickey from DNS: v=DKIM1; t=s; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7UVFdYXFNYnOadOfgLJHC8ozfC46Fa6guyPucgDlEqGfqWY83LbdXZYlJjpy5XVqd02qaZJo/EwsaAooSxl6MbgogAqAVfszPYd62B0ksPuJWwlg1IdqG2z5Bo+EHZbBxmSVWizdpP3EomUgktV2dArwhMhoFXV0gzbkDzhg4QIDAQAB
Validating Signature

result = invalid
Details: public key: OpenSSL error: bad base64 decode

[jimimaseye]

What's that output from? Can it be trusted?

Assuming it can and is representative of the problem:

bad base64 decode

You have mistyped one of the keys - it can't be decoded.

Try again following carefully. (No one can help you with what you type - the instructions work).

But really, what other evidence do you have that your have a problem? Start a thread to discuss.

[Entered by mobile. Excuse my spelling.]

[Aughen]

Having an issue adding the key to GoDaddy. If I enter the Host as dkim._domainkey.aughen.com I cannot validate it at //www.dnswatch.info. If i switch the host to @ i can instantly validate the key. I am not sure if there is another DNS entry that hast to be made?

[jimimaseye]

Having an issue adding the key to GoDaddy. If I enter the Host as dkim._domainkey.aughen.com I cannot validate it at //www.dnswatch.info. If i switch the host to @ i can instantly validate the key. I am not sure if there is another DNS entry that hast to be made?

Someone else recently had a similar experience and said the same thing about GoDaddy - it seems they do things differently.

A GoDaddy host:

Instead of dkim._domainkey.YOURDOMAIN.COM.

Seemingly should just be

dkim._domainkey

As long as you have your solution and are now passing validation you are ready to go.

[Entered by mobile. Excuse my spelling.]

[fhuelsbeck]

Hello all. I'm running hMailServer version 5.6.7-B2425. I have configured DKIM with keys signed by a public CA and the logs show email is being signed. I've parsed the entire log and there are no errors regarding the signing keys or any other errors already discussed in this thread.

"DEBUG" 2460 "2021-02-11 09:27:29.330" "Signing message using DKIM..."

However the email header shows the message is not signed.

dkim=none (message not signed)

Any assistance is greatly appreciated.

[mattg]

Is that at the recipeint's mail server ?

If you have a gmail account send a message to that, they show good info on DKIM signing

[fhuelsbeck]

I tested using sparkpost dkim validator and indeed the header is missing. I read a post indicating keysize 2048 failed for a different user and 1024 resolved the issue. My key is 4098, pretty standard now, and wonder if that could be the issue.

[fhuelsbeck]

I generated a self signed cert keysize 1024 and that also fails validation by sparkpost. All suggestions greatly appreciated.

[mikedibella]

I have configured DKIM with keys signed by a public CA

I generated a self signed cert keysize 1024 and that also fails validation by sparkpost. All suggestions greatly appreciated.

I'm confused by the process you are describing to generate your DKIM key-pair. I just used openssl:

Code: Select all

openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM

No X.509 operations are involved.

Can you describe your process in more detail?

[M*I*B]

I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?

[SorenR]

I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?

Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.

[M*I*B]

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.

Thanx a lot. I had already figured that out and answered my question completely.

[SorenR]

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.

Thanx a lot. I had already figured that out and answered my question completely.

Sometimes you need to trust the little voice inside yourself

[M*I*B]

Sometimes you need to trust the little voice inside yourself

[Maikl]

Thanks a lot for this how-to. Worked like a charm for me!

Michael

[alfred0809]

This Worked like a charm for me aswell ! Thanksss!!

[RvdH]

I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?

Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.

Not sure what version he is using, but your answer contradicts your changelog, https://www.hmailserver.com/forum/viewt ... 39#p239639
eg: Added: #383 DKIM signature for domain aliases

With that setting enabled, it is possible to sign domain aliases.
The domain DNS records for the alias have to use the same DKIM DNS record as the main domain for this to work

[SorenR]

I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?

Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.

Not sure what version he is using, but your answer contradicts your changelog, https://www.hmailserver.com/forum/viewt ... 39#p239639
eg: Added: #383 DKIM signature for domain aliases

With that setting enabled, it is possible to sign domain aliases.
The domain DNS records for the alias have to use the same DKIM DNS record as the main domain for this to work

https://github.com/hmailserver/hmailserver/pull/383

#386 was added about a month after I responded to M*I*B...

[RvdH]

Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.

Not sure what version he is using, but your answer contradicts your changelog, https://www.hmailserver.com/forum/viewt ... 39#p239639
eg: Added: #383 DKIM signature for domain aliases

With that setting enabled, it is possible to sign domain aliases.
The domain DNS records for the alias have to use the same DKIM DNS record as the main domain for this to work

https://github.com/hmailserver/hmailserver/pull/383

#386 was added about a month after I responded to M*I*B...

Oops
My fault, i only saw this topic got bumped and didn't pay attention to the dates