Skip to content
Advertisement

DKIM key not valid – Bad RSA signature

I have setup DKIM on a Ubuntu 14.04 machine using opendkim and postfix. I generated the RSA keypair and updated the TXT record.

When testing the settings at any DKIM tester like www.mail-tester.com or www.dkimvalidator.com, I get errors like “result = fail, bad RSA signature”.

Here is an example mail (info from dkimvalidator.com). I substituted the real domain with mail.example.com.

DKIM Signature


Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.example.com;
     h=content-type:content-type:mime-version:subject:subject
    :message-id:to:reply-to:from:from; s=dkim; t=1505761379; x=
    1506625380; bh=xp3gKk5P39UaB7IV9Rj58h82gFaIiEDAqCbmUtWe2Yo=; b=s
    ErbZFhFhPQjrOz2dH2RlYMAaN0oUKT7SBJe/bQg5Uxq86VHr7HkHRnnqtw1lkRL6
    Ha6Qd2rXAV+ftc5vL3K3TYojBz8HFigZtmJetjgY1/evk9XnRHtTaRBD6/ZrXtii
    Rsa87O6RsoM7om9brPP8QW01/84nPSonJIIQtobLt0=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/simple
d= Domain:          mail.example.com
s= Selector:        dkim
q= Protocol:        
bh=                 xp3gKk5P39UaB7IV9Rj58h82gFaIiEDAqCbmUtWe2Yo=
h= Signed Headers:  content-type:content-type:mime-version:subject:subject
    :message-id:to:reply-to:from:from
b= Data:            s
    ErbZFhFhPQjrOz2dH2RlYMAaN0oUKT7SBJe/bQg5Uxq86VHr7HkHRnnqtw1lkRL6
    Ha6Qd2rXAV+ftc5vL3K3TYojBz8HFigZtmJetjgY1/evk9XnRHtTaRBD6/ZrXtii
    Rsa87O6RsoM7om9brPP8QW01/84nPSonJIIQtobLt0=
Public Key DNS Lookup


Building DNS Query for dkim._domainkey.mail.example.com
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIbe1WBW7hf4IbeW8acNXKzi6uQb2UXagkJoLWqGqLaXbnrLmwEjgxzoJQRR7iLq4/niGmI76Nzbc0aASTGYRdAK62/Enjove3W70vl92VSgGy1Tm0oZ+9/4+Z8qLiwikPs+HL961CshehcAMu1aLnVSyMwe77pOlf6ZPG7Lxj5QIDAQAB
Validating Signature


result = fail
Details: bad RSA signature

And here is /etc/opendimk.conf:

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

Domain                  mail.example.com
KeyFile                 /etc/dkimkeys/dkim.key
Selector                dkim

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no


OversignHeaders         From

TrustAnchorFile       /usr/share/dns/root.key

Could there be a problem because I use a subdomain like johndoe@mail.example.com to send E-Mails?

Advertisement

Answer

Problem was because opendkim did not listen on the specified socket; Postfix was not able to reach opendkim and the email therefore not signed.

Related to: https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-debian-stretch-in-etc-default-opendkim

User contributions licensed under: CC BY-SA
6 People found this is helpful
Advertisement