DKIM – A simple reason why dkim=fail

Written by James McDonald

September 1, 2014

I have been looking at enabling Domain Keys Identified Mail using opendkim and have discovered a lot of very good howto’s just by Googling

But I just thought I would list a configuration mistake I made.

When you create a domain key using the opendkim-genkey command if places the private key in the current directory or the directory you specify with the –directory option.

I chose to create a directory structure under /etc/opendkim/keys/ so the private key for each domain was held in a folder the same name as the domain. (this means you can have multiple default.private files)

So I did:

mkdir /etc/opendkim/keys/

opendkim-genkey --selector=mail --directory=/etc/opendkim/keys/

# opendkim options
opendkim-genkey: usage: opendkim-genkey [options]
        --append-domain        include domain name in zone file stub
        --bits=n               use n bits to generate the key
        --directory=path       leave output in the named directory
        --domain=name          generate data for the named domain []
        --hash-algorithms=list limit to use of the named algorithm(s)
        --help                 print help and exit
        --note=string          include specified note in zone data
        --restrict             restrict key to email use only
        --selector=name        selector name [default]
        --subdomains           allow signing of subdomains
        --testmode             indicate key is in test mode
        --verbose              increased output
        --version              print version and exit

This writes a file named mail.private into /etc/opendkim/keys/ and another named mail.txt which contains the zone record to add to DNS of the email domain you are enabling DKIM for.

My problem started when I kept getting dkim=fail because the signature was wrong

I traced this to an incorrect private key being used to sign the outgoing email. Basically my CentOS version of opendkim creates a default.private key in /etc/opendkim/keys/default.private and if you don’t edit your KeyTable file properly your domain is being signed by the default key instead of the one you generate and place in /etc/opendkim/keys/

# incorrect entry picks up
# wrong key

# correct entry has the correct private key 
# listed in the /etc/opendkim/KeyTable file

After I made the above change and restarted opendkim I then got the correct dkim=pass status at the destination mailbox on mail I sent

I of course didn’t pick this up until I had been around the world a few times. I thought that I had a header being changed down stream of when opendkim was signing the message but no I didn’t.


Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…