dkim=fail (body hash did not verify)

vanillamilkk · 2021-03-14 01:15:48

I have Minecraft, csgo, web, mail, etc server hosted on my home. I also have domain with complete A, AAA, MX, DKIM, DMARC, SRV, SPF record.
All are working flawlessly except the mail server with a little problem. Most of my mails sent directly to spam on major server (gmail, outlook, etc)

So my setup is :
Thunderbird (local pc) --> Postfix (Arch Server) ---> ISP smtp server (MyRepublic) --> Outlook (Microsoft)

Received-SPF: Pass (protection.outlook.com: domain of kcml.my.id designates
 158.140.187.14 as permitted sender) receiver=protection.outlook.com;
 client-ip=158.140.187.14; helo=smtpid.myrepublic.co.id;
Authentication-Results-Original: smtpid.myrepublic.co.id;	dkim=pass (2048-bit
 key) header.d=kcml.my.id header.i=@kcml.my.id header.b="GtT4m13/"
Subject: Fwd: Hmm yes?
References: <4a1699a4-ad79-9e07-796f-ddf4848c807f@kcml.my.id>
To: xxxxxx@outlook.com
From: vanilla milkk <xxxxx@kcml.my.id>
Message-ID: <a0f228c9-1466-db19-65e5-f19011953d05@kcml.my.id>
Date: Sat, 6 Mar 2021 23:56:10 +0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.0
In-Reply-To: <4a1699a4-ad79-9e07-796f-ddf4848c807f@kcml.my.id>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="L06vZsQobKP3U5ubXG0R5VXrAEh4lxLZ7"
MIME-Version: 1.0

I followed all the dkim, dmarc, postfix setup on Arch Wiki, and im quite lost what part i did wrong?
Tell me if you need more information.

Trilby · 2021-03-14 15:11:36

It looks like there may be a copy paste error in the key in your TXT record likely where you concatenated the multiple parts - e.g., if you took the generated public key from opendkim, you need to do some manual editing to put multiple lines together properly.

Are you using openDKIM? If so, what is the content of the public key at /etc/opendkim/${YOURSELECTOR}.txt? How did you create your TXT record for your DNS server (e.g., what exactly was entered for the txt record)?

FYI, I found the tools at mail-tester.com helpful in setting up my SPF/DKIM and DMARC which I coincendentially just worked through last weekend. So I feel your pain on the confusion - while our wiki is generally excellent, it's really lacking in specifics for SPF/DKIM configuration.

EDIT: could you also clarify how / why you are running your own postfix server and using your ISPs mail server? I'm not sure I understand this. If you are running your own mail server, your ISP's mail server should be irrelevant. I think this resulted in me looking up the TXT record of your ISP instead of your arch server. If kcml.my.id is your arch server, there does not seem to be any published dkim TXT record (and/or it hasn't yet propogated, though this is generally fairly quick now and it certainly would have it published prior to your creation of this thread).

Last edited by Trilby (2021-03-14 15:23:44)

vanillamilkk · 2021-03-15 10:38:50

Trilby wrote:

It looks like there may be a copy paste error in the key in your TXT record likely where you concatenated the multiple parts - e.g., if you took the generated public key from opendkim, you need to do some manual editing to put multiple lines together properly.
Are you using openDKIM? If so, what is the content of the public key at /etc/opendkim/${YOURSELECTOR}.txt? How did you create your TXT record for your DNS server (e.g., what exactly was entered for the txt record)?

Thanks for your help. Yes, im using openDKIM, and here is my public key.

[server ~]# cat /etc/opendkim/keys/kcml.my.id/default.txt
default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1gD5q/bv1Vdq4JGiKGkxigvozQ+0FS2ih28nqOTmK34xXcNiWodEY60vQ4H9efvF+v0cPwLSw9bLsf1lx2G7CDZ7FwiLXI35lnSrTdpqX/saQRvtBnGNQb+/uHRabdVnvvzXlsvA7t2Aas/iFrQVhSnpmEDR9AJIYNfOiffINNsGF0ejuxNldgaPqragBPMVf2SBB3yr4M/oG0"
          "VnJWzrZT7UWF9P0KQ/KJpyfxWkcUg10hYXdEDaJ2gsZGBPW9FVkzV7l3u5ertho7NpTx/htPNCsK67G92TRXj7lkw5CQsOnEAp035LQ+zCCRDU67GjNYONxjXGn0cmV606HWrcpQIDAQAB" )  ; ----- DKIM key default for kcml.my.id

Trilby wrote:

FYI, I found the tools at mail-tester.com helpful in setting up my SPF/DKIM and DMARC which I coincendentially just worked through last weekend. So I feel your pain on the confusion - while our wiki is generally excellent, it's really lacking in specifics for SPF/DKIM configuration.

I just tested it, they give me 7/10 score because my dkim signature is invalid.

Trilby wrote:

EDIT: could you also clarify how / why you are running your own postfix server and using your ISPs mail server? I'm not sure I understand this. If you are running your own mail server, your ISP's mail server should be irrelevant. I think this resulted in me looking up the TXT record of your ISP instead of your arch server. If kcml.my.id is your arch server, there does not seem to be any published dkim TXT record (and/or it hasn't yet propogated, though this is generally fairly quick now and it certainly would have it published prior to your creation of this thread).

They said they need to scan my email before sending it to the internet. They want me to add "relayhost = smtpid.myrepublic.co.id" inside my postfix configuration. And i just checked the DNS record and its there.

[vanilla@desktop ~]$ dig -t txt default._domainkey.kcml.my.id

; <<>> DiG 9.16.12 <<>> -t txt default._domainkey.kcml.my.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65365
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;default._domainkey.kcml.my.id. IN      TXT

;; ANSWER SECTION:
default._domainkey.kcml.my.id. 14400 IN TXT     "v=DKIM1; k=rsa;  p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1gD5q/bv1Vdq4JGiKGkxigvozQ+0FS2ih28nqOTmK34xXcNiWodEY60vQ4H9efvF+v0cPwLSw9bLsf1lx2G7CDZ7FwiLXI35lnSrTdpqX/saQRvtBnGNQb+/uHRabdVnvvzXlsvA7t2Aas/iFrQVhSnpmEDR9AJIYNfOiffINNsGF0ejuxNldgaPqragBPMV" "f2SBB3yr4M/oG0VnJWzrZT7UWF9P0KQ/KJpyfxWkcUg10hYXdEDaJ2gsZGBPW9FVkzV7l3u5ertho7NpTx/htPNCsK67G92TRXj7lkw5CQsOnEAp035LQ+zCCRDU67GjNYONxjXGn0cmV606HWrcpQIDAQAB"

;; Query time: 50 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Mar 15 17:20:50 WIB 2021
;; MSG SIZE  rcvd: 483

[vanilla@desktop ~]$ dig -t txt _dmarc.kcml.my.id

; <<>> DiG 9.16.12 <<>> -t txt _dmarc.kcml.my.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41146
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dmarc.kcml.my.id.             IN      TXT

;; ANSWER SECTION:
_dmarc.kcml.my.id.      14400   IN      TXT     "v=DMARC1; p=quarantine; pct=20; adkim=s; aspf=r; fo=1; rua=mailto:postmaster@kcml.my.id; ruf=mailto:hostmaster@kcml.my.id;"

;; Query time: 33 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Mar 15 17:21:06 WIB 2021
;; MSG SIZE  rcvd: 181

Trilby · 2021-03-15 13:57:33

According to the dig output, your TXT record is indeed invalid. Your key is split in the middle, remove the space and closing/starting quotes:

- MV" "f2S
+ MVf2S

Though it would also seem that your DNS updates are not propogating. While I can confirm that dig returns your DKIM TXT record, various website DNS look ups (including mail-tester.com) are not seeing it. edit: either it just propogated, or I did something wrong as it's now showing up - though still with the problematic space.

Last edited by Trilby (2021-03-15 14:03:40)

ghen · 2021-03-16 18:10:59

Trilby wrote:

According to the dig output, your TXT record is indeed invalid. Your key is split in the middle, remove the space and closing/starting quotes:
- MV" "f2S
+ MVf2S

That's how TXT records work, there's a max length of 255, and DKIM keys (at least RSA ones) typically exceed it, so it has to be split.
See eg. https://www.unixfu.ch/how-to-split-dns-dkim-records/ or https://www.mailhardener.com/tools/dns-record-splitter

Trilby · 2021-03-16 19:22:51

EDIT: oops - you're correct, sorry. With mine entering it in the Linode DNS split caused it to fail, but putting it in concatenated worked - but dig still shows mine split.

ghen · 2021-03-16 19:32:29

dig is a debug tool and shows the actual wire format.

progandy · 2021-03-16 19:48:00

Are you able to successfully sign and verify a mail with opendkim-testkey?

In that case you should probably configure postfix to save a local copy. Verify the dkim result and compare it with the mail you receive as spam.
Maybe something like this to create that copy? https://www.electricmonk.nl/log/2015/03 … tp-server/

Arch Linux

#1 2021-03-14 01:15:48

dkim=fail (body hash did not verify)

#2 2021-03-14 15:11:36

Re: dkim=fail (body hash did not verify)

#3 2021-03-15 10:38:50

Re: dkim=fail (body hash did not verify)

#4 2021-03-15 13:57:33

Re: dkim=fail (body hash did not verify)

#5 2021-03-16 18:10:59

Re: dkim=fail (body hash did not verify)

#6 2021-03-16 19:22:51

Re: dkim=fail (body hash did not verify)

#7 2021-03-16 19:32:29

Re: dkim=fail (body hash did not verify)

#8 2021-03-16 19:48:00

Re: dkim=fail (body hash did not verify)

Board footer