Hello! I have had a working mailcow instance setup for around a year now thats been working nearly flawlessly. But recently, some of my mails have started getting rejected and bounced back.

Using check-auth@verifier.port25.com, I see that my dkim auth is returning “fail” on one of my domains. However, another domain that is configured using mailcow gets a “pass”.

What is stranger still is that I had not changed a thing. No updates, DNS changes, etc. And to add insult to injury, the domain that is failing dkim test is the main domain set up as the mailcow hostname.

The only difference is that the failing domain is through namecheap and the other is on another registrar. Thats the only one i can find. Using an identical email body & subject, both domains are also producing the same dkim hash for the message.

Both are using the same DKIM key + selector AFAIK. s=email for both and p is identical

So I am really quite lost here. I have no idea what is causing one domain to fail and the other to pass while the hash is exactly the same. Any help is appreciated. Thanks!

  • esackbauer and tjk replied to this.

    • tjk

    • Best Answerset by tjk

    I fixed the issue. Im not sure what exactly did it, but I did generate new DKIM keys for each of my domains. That did not fix the issue immediately, but I messed with a few other misc settings and eventually it started to work. Immediately after I generated new keys, the test still failed while showing the new pubkey. So I dont believe that was the only issue, though I would be surprised if it didnt have an effect.

    tjk domain that is failing dkim test is the main domain set up as the mailcow hostname.

    That is asking for trouble. mailcow hostname and mail domains (MX records) should not be the same.

    • tjk replied to this.

        Have something to say?

        Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

        esackbauer I see. Both my mx record and mailcow hostname are mail.example.com. Which one should I change and how could I go about changing it?
        Thanks

          So you are using two different DNS providers for your domains? Maybe the entry of your failing DKIM entry is due to a format error. I recently found out that one of my domains was failing the DKIM validation despite of being the exact same entry as for all my other domains. Due to the length of the DKIM key the entry is split in multiple parts separated by double quotes. Something must have gone wrong the time I entered the DKIM entry and messed up the whole entry.
          What I’m trying to say here is: check your DNS DKIM entry in your DNS console (or wherever), maybe you have a syntax error in it (whitespace inside the key etc.)

          • tjk replied to this.

            DocFraggle I have checked the text records. Heres the raw text from a DNS query:

            Heres the one that fails:
            dkim._domainkey.example.com. 300 IN TXT "v=DKIM1;k=rsa;t=s;s=email;p=[PUBKEY]"

            Heres the one that passes:
            dkim._domainkey.example.net. 300 IN TXT "v=DKIM1;k=rsa;t=s;s=email;p=[PUBKEY]"

            Both of the public keys are identical. I checked with diff.

            I put each public key into a file a and b, heres the checksums:
            e00d02fde7afbe2b4c4fe7d7ca3759ccba417999ef57d786e188b1549414b150 a
            e00d02fde7afbe2b4c4fe7d7ca3759ccba417999ef57d786e188b1549414b150 b

            They are identical records.

            If both records are identical and both domains use the same private key, then why should this fail?

            I have also just determined that it is not a registrar issue by testing another domain on the same registrar pointing to the same email server.

            Now I am really starting to pull my hair out. Only the MAIN domain is having this issue (all other domains MX record point to this main domain, main domain in mailcow, I dont know if there is another term for this).

            Hopefully this detail is relevant!

            Thanks for the help so far

            I have also just determined that it is not a registrar issue by testing another domain on the same registrar pointing to the same email server.

            Now I am really starting to pull my hair out. Only the MAIN domain is having this issue (all other domains MX record point to this main domain, main domain in mailcow, I dont know if there is another term for this).

            Hopefully this detail is relevant!

            Thanks for the help so far

            I have also just determined that it is not a registrar issue by testing another domain on the same registrar pointing to the same email server.

            Now I am really starting to pull my hair out. Only the MAIN domain is having this issue (all other domains MX record point to this main domain, main domain in mailcow, I dont know if there is another term for this).

            Hopefully this detail is relevant!

            Thanks for the help so far

            I have also just determined that it is not a registrar issue by testing another domain on the same registrar pointing to the same email server.

            Now I am really starting to pull my hair out. Only the MAIN domain is having this issue (all other domains MX record point to this main domain, main domain in mailcow, I dont know if there is another term for this).

            Hopefully this detail is relevant!

            Thanks for the help so far

            [unknown] Also I dont know why that happened this was supposed to be a separate post lol.
            This is what it was meant to say:

            I have also just determined that it is not a registrar issue by testing another domain on the same registrar pointing to the same email server.

            Now I am really starting to pull my hair out. Only the MAIN domain is having this issue (all other domains MX record point to this main domain, main domain in mailcow, I dont know if there is another term for this).

            Hopefully this detail is relevant!

            Thanks for the help so far

              I was talking about the web UI of your DNS provider where you input your DNS entries.
              I experienced this issue with a domain configured in Hetzner DNS. All my domains are configured there, but only one of them was failing the DKIM check due to a format error because I input the values in the web UI.
              I fixed it by editing the zone file directly (that’s an option if you use the Hetzner DNS console and may but be available with other providers)

              • tjk replied to this.

                DocFraggle I gotcha. Yea unfortunately when I grabbed the dns records with a service separate from the registrar it gave me the exact same record. Otherwise wouldve been an easy fix. Thanks for the suggestion!

                [unknown] What would a valid value for the mailcow hostname be? Does it have to be related to the mail domain? Or can it just be some arbitrary identifier like a normal unix hostname?

                  Fun fact: external DKIM checks with mxtoolbox were successful despite the format error

                  • tjk replied to this.

                    DocFraggle Yea I have noticed similar issues. I am using check-auth@verify.port25.com to check dkim pass or fail, and it will give me a fail. mail-tester.com also tells me my dkim is invalid. Certain email services (mostly services using spamhaus) bounce back and give an error. But I can send to Gmail perfectly fine!

                    mxtoolbox says its good, but that doesnt tell me much since its not actually trying to use the dkim key to validate an email. It is just looking to see that it is there (which it does thankfully). But to actually test the dkim, you need to test the public key which is in your dns against a hash which was generated by your private key. So you need to use a service that will analyze an email you send to it.

                      tjk I have generated new keys for all domains on my mailcow instance, and updated the DNS records.
                      Mailcow has a check mark next on DKIM current state on the domain DNS check.

                      The main domain (used as the mailcow hostname + MX record on other domains) has a DKIM failure error. All the others pass without error. I get the error “signature failed to verify” on a test email. Same as before.

                      [unknown] I am thinking this might be causing my issue. Could you please elaborate on a way I could test whether it is causing my issue or not? Thank you

                        • Ttjk

                            Moolevel 1
                          • Post #12
                          • Best Answerset by tjk

                          I fixed the issue. Im not sure what exactly did it, but I did generate new DKIM keys for each of my domains. That did not fix the issue immediately, but I messed with a few other misc settings and eventually it started to work. Immediately after I generated new keys, the test still failed while showing the new pubkey. So I dont believe that was the only issue, though I would be surprised if it didnt have an effect.

                          No one is typing