Something appears to be wrong with your DNS records. Using mxtoolbox and
easydmarc's dkim validators with your selectors, the response is only
v=DKIM1 and is missing the public key p= portion.
I would start with wrapping the text portion with quotes. Otherwise your DNS
server may need the key split up into chunks.
Regards,
-Andrew
-----Original Message-----
From: Robert B. Carleton <r...@rbcarleton.net>
Sent: Friday, April 5, 2024 6:29 PM
To: misc@opensmtpd.org
Subject: DKIM Verification Failures
DKIM verfication of my emails has been failing for outbound email when
received by other systems. This email contains those signatures. I don't
check DKIM inbound so that's not a concern.
I created DNS entries for both rsa and ed25519 keys. The subject hosts are
metis.rbcarleton.net (internal) and terminus.rbcarleton.net (external). I
use smtpd for my MTAs, and use the
opensmtpd-filter-dkimsign-0.5p2 package to sign my outbound emails. I'm
running OpenBSD 7.4.
Here's the SPF/DMARC/DKIM DNS for rbcarleton.net:
---cut here---
600 IN TXT "v=spf1 ip4:155.138.244.69
ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all"
_dmarc 600 IN TXT
"v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dma
r...@rbcarleton.net"
dk-rsa-20240404._domainkey 600 IN TXT
v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w
3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR
ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq
vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0
z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk
CasVm7VBNKza/0twIDAQAB
dk-ed25519-20240404._domainkey 600 IN TXT
v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs=
dk-metis-rsa-20240404._domainkey 600 IN TXT
v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w
3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR
ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq
vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0
z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk
CasVm7VBNKza/0twIDAQAB
dk-metis-ed25519-20240404._domainkey 600 IN TXT
v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE=
---cut here---
Then metis.rbcarleton.net:
---cut here---
600 IN TXT "v=spf1 ip4:155.138.244.69
ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all"
_dmarc.metis 600 IN TXT
"v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dma
r...@rbcarleton.net"
dk-metis-rsa-20240404._domainkey 600 IN TXT
v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w
3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR
ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq
vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0
z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk
CasVm7VBNKza/0twIDAQAB
dk-metis-ed25519-20240404._domainkey 600 IN TXT
v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE=
---cut here---
I was selective in what I included in the email for the sake of brevity. I
figured dig would be used to see the rest.
I followed the opensmtpd-filter-dkimsign pkg-readme. I've also done some
reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It's
probably something silly, but managing MTAs isn't my day job, so I have less
wisdom for this than I should.
TIA,
--Bruce
