Solved DKIM exists but outgoing emails are not signed

Hello,
My maillog shows that my outgoing messages are signed.

An excerpt of mail log is this:
Code:
 Dec 17 09:07:29 mail opendkim[66365]: CD7D6C09298: DKIM-Signature field added (s=default, d=DOMAINNAME)

At the same time, the DKIM tester (http://dkimcore.org/c/keycheck) shows that I have a valid DKIM.

Below is the dkim result from the above URL:

http://dkimcore.org/c/keycheck
Code:
DKIM Record for default._domainkey.DOMAINNAME

v=DKIM1; k=rsa; p=fgsdlgnkl;sklsDQEBAQUAA4GNADCBiQKBgQDnjZjSovGHATRioIS1
qznMMyllmdyHWsfglmh;h'mdhlk'mlhbdpWgG/DE+DU2Ro6lsDZjNpjAQUOG4d4b4huXSDLr8
Dwnsglknmkg;jn;kntrmgksnrk'nmrGgwz3MtpGQ0GNRce43UAZj7fvNBCvy4uOJUiT61KkzA
gs;ngsfdnkns

This is a valid DKIM key record


Port25verifier(check-auth@verifier.port25.com), on the other hand, shows:
Code:
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         none
SpamAssassin check: ham




Whenever I send an email to a contact or a dkim tester to check my dkim signature, the tester would report that there is no DKIM signature in my message. I also don't find the signature in the raw message/source at the recipient's emailbox.

I have spent the last two days (YES!) on this issue. I saw dkim signatures in outgoing messages about 6months ago but I did not notice that they had stopped until now. I am using postfix with several domains. I also use a third-party outbound smtp as transport for some difficult email addresses (e.g. Micorsoft). The third-party dkim/spf are added to the dns too. I have also got dmarcand _adsp.domainkey set.

Code:
TXT _adsp._domainkey dkim=all {recently changed during troubleshooting from unknown} ........
TXT _dmarc v=DMARC1;p=quarantine;sp=quarantine;adkim=r;aspf=r;fo=......

I have done practically all I could imagine - e.g. changing from tcp socket for opendkim (inet:8931@localhost) to unix socket (local:/var/spool/postfix...opendkim.sock), made several changes to postfix master & main files, upgraded opendkim, installed dkimproxy/perl dkim lib, etc - but no luck. May be, I should delete godaddy entries in my dns (CNAME _domainconnect _domainconnect.ss.domaincontrol.com && SRV _autodiscover._tcp.@ 0 0 443 autodiscover.secureserver.net ). But I would not expect them to be the problem. I can't think of anything else. Someone using DKIM with Exim had a similar problem and it was fixed for him; but that thread would not help either.
 
Where did you sign the Mails ? On the Server or the Gateway ? Could it be possible that this third party gateway rewrite the mail and cut the DKIM signature from your server ?
 
Thanks no-pain-no-gain for your question. The mails are signed on our server/gateway. And the third party gateway could rewrite the DKIM signatures for the emails that go through them. We have already been provided with settings needed to do the signing of dkim/spf for the messages channeled through them.

Interestingly, I have resolved the matter. It took another two days or so. I am however unable to pin down the problem to a cause. I had tried several other measures in fixing it, such as re-configuring & re-deploying amavisd & its milter (but won't fix it) and resetting/restoring the servers (pf, postfix,etc) to the last two months when it all worked (but it won't help much either). The long and the short of it is that there are about two ways of getting DKIM to work and both can be tricky. For the first approach, one could get opendkim with its milter to do the job over a unix socket. And for the second approach, one could get amavisd with its milter to do the job over a tcp socket. You choice approach would also depend on the kind of packages, particular anti-virus (amavis/maia/mailzu vs mailscanner), that make your email suite.

I hope someone would find these narrations helpful sometime in the near future.
 
Back
Top