DKIM keys identical for two domains. One is valid, the other is not...

tjk

Hello! I have had a working mailcow instance setup for around a year now thats been working nearly flawlessly. But recently, some of my mails have started getting rejected and bounced back.

Using check-auth@verifier.port25.com, I see that my dkim auth is returning “fail” on one of my domains. However, another domain that is configured using mailcow gets a “pass”.

What is stranger still is that I had not changed a thing. No updates, DNS changes, etc. And to add insult to injury, the domain that is failing dkim test is the main domain set up as the mailcow hostname.

The only difference is that the failing domain is through namecheap and the other is on another registrar. Thats the only one i can find. Using an identical email body & subject, both domains are also producing the same dkim hash for the message.

Both are using the same DKIM key + selector AFAIK. s=email for both and p is identical

So I am really quite lost here. I have no idea what is causing one domain to fail and the other to pass while the hash is exactly the same. Any help is appreciated. Thanks!

esackbauer

tjk domain that is failing dkim test is the main domain set up as the mailcow hostname.

That is asking for trouble. mailcow hostname and mail domains (MX records) should not be the same.

tjk

tjk I have generated new keys for all domains on my mailcow instance, and updated the DNS records.
Mailcow has a check mark next on DKIM current state on the domain DNS check.

The main domain (used as the mailcow hostname + MX record on other domains) has a DKIM failure error. All the others pass without error. I get the error “signature failed to verify” on a test email. Same as before.

[unknown] I am thinking this might be causing my issue. Could you please elaborate on a way I could test whether it is causing my issue or not? Thank you

tjk

esackbauer I see. Both my mx record and mailcow hostname are mail.example.com. Which one should I change and how could I go about changing it?
Thanks

DocFraggle

So you are using two different DNS providers for your domains? Maybe the entry of your failing DKIM entry is due to a format error. I recently found out that one of my domains was failing the DKIM validation despite of being the exact same entry as for all my other domains. Due to the length of the DKIM key the entry is split in multiple parts separated by double quotes. Something must have gone wrong the time I entered the DKIM entry and messed up the whole entry.
What I’m trying to say here is: check your DNS DKIM entry in your DNS console (or wherever), maybe you have a syntax error in it (whitespace inside the key etc.)

tjk

DocFraggle I have checked the text records. Heres the raw text from a DNS query:

Heres the one that fails:
dkim._domainkey.example.com. 300 IN TXT "v=DKIM1;k=rsa;t=s;s=email;p=[PUBKEY]"

Heres the one that passes:
dkim._domainkey.example.net. 300 IN TXT "v=DKIM1;k=rsa;t=s;s=email;p=[PUBKEY]"

Both of the public keys are identical. I checked with diff.

I put each public key into a file a and b, heres the checksums:
e00d02fde7afbe2b4c4fe7d7ca3759ccba417999ef57d786e188b1549414b150 a e00d02fde7afbe2b4c4fe7d7ca3759ccba417999ef57d786e188b1549414b150 b

They are identical records.

If both records are identical and both domains use the same private key, then why should this fail?

I have also just determined that it is not a registrar issue by testing another domain on the same registrar pointing to the same email server.

Now I am really starting to pull my hair out. Only the MAIN domain is having this issue (all other domains MX record point to this main domain, main domain in mailcow, I dont know if there is another term for this).