Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 2261 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DKIM not working

hagman_01

I tried to setup DKIM with no success.

1. I used (on my local Linux box) openssl to generate a 1024bit RSA key pair.

2. I added the public key into DNS and let it propagate (for the moment with testing mode "t=y" )

$ host -t txt testing._domainkey.mydomain.example 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

testing._domainkey.mydomain.example descriptive text "v=DKIM1;k=rsa;t=y;p=MIGfMA0......DwIDAQAB"

3. I configured the UTM as follows

Priate key =

-----BEGIN PRIVATE KEY-----
MIIC...
...
...
...
-----END PRIVATE KEY-----

selector = testing

DKIM-Domains = mydomain.example

4. I used https://www.appmaildev.com/en/dkim to check. Result:  DKIM-Result: none (no signature)

Why is no signature added?
According to the result at the receiving end, the mail is from the specified DKIM domain: 

From: "Real Name" <username@domain.example>


This thread was automatically locked due to age.

Top Replies

  • in reply to BAlfson +1 suggested

    Apparently, my mistake was with step 1 (though I for sure do know how to generate key pairs). I don't recall which guide I followed (I am sure is was not by you), but that guide made me generate the keys per

            openssl genpkey -algorithm RSA  ...

    Meanwhile I managed to findi a matching thread  - no idea why seraching for "RC -101" previously gave me no better results. According to that, I regenerated keys per

           openssl renrsa ...

    and that key pair worked instantly. I am still scratching my head about the reasons (perhaps genpkey generated a key protected by no keyword instead not protected by a keyword?), but who cares when it works fine now ...

    Jump to answer
Parents
  • 0

    Hello Hagman!

     Thank you for contacting the Sophos Community!

    What is the output of dig nameofthekey._domainkey.domain.com TXT +short

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    "v=DKIM1;k=rsa;t=y;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPSj8NGDf71/tmIKyJ3Ymbdgx4IGGxGVQCvj97AhN50uKw6qBpkMNBA8JCz0f4LfyV/2OM7R+WXSKtt/5cQD5mbYQku/5wbjqTJJDMVvBk10TAp636Z/s+zQC9/piaLAzqv/DSnGnxCXAzxK8rxdK5fetzAkf8Iw9vb2ChbbVjDwIDAQAB"

    (cf. the equivalent host command in my post)

    Does that even matter? I mean, a problem with the DNS record would certainly lead to failure in verification of the DKIM signature at the receiving end - but the DKIM signature is not even applied! at my sending end?

    In other words: Does your question mean that UTM does the DKIM signing if it is able to verify that the corresponding public key DNS record (which i dnot needed for the signing per se) is resolvable from the (internal-ish) resolver of the UTM instead of merely from all receiving ends who resolve the "official" version of DNS?

Reply
  • 0 in reply to emmosophos

    "v=DKIM1;k=rsa;t=y;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPSj8NGDf71/tmIKyJ3Ymbdgx4IGGxGVQCvj97AhN50uKw6qBpkMNBA8JCz0f4LfyV/2OM7R+WXSKtt/5cQD5mbYQku/5wbjqTJJDMVvBk10TAp636Z/s+zQC9/piaLAzqv/DSnGnxCXAzxK8rxdK5fetzAkf8Iw9vb2ChbbVjDwIDAQAB"

    (cf. the equivalent host command in my post)

    Does that even matter? I mean, a problem with the DNS record would certainly lead to failure in verification of the DKIM signature at the receiving end - but the DKIM signature is not even applied! at my sending end?

    In other words: Does your question mean that UTM does the DKIM signing if it is able to verify that the corresponding public key DNS record (which i dnot needed for the signing per se) is resolvable from the (internal-ish) resolver of the UTM instead of merely from all receiving ends who resolve the "official" version of DNS?

Children