Resolved DKIM is valid but signature fails

[cmartinez127]

Server operating system version

CentOS 7

Plesk version and microupdate number

18.0.54 #4

Hi, I'm using CentOS 7 with Plesk Obsidian Web Host Edition 18.0.54 #4.

I'm having a problem with DKIM only on one domain. Webmail is disabled, clients in this domain use mail clients as Outlook, Thunderbird, ...

No error messages detected in /var/log/maillog related to DKIM.

DKIM is enabled server-wide and in the specific domain too.

I tried "plesk repair mail" but everything was "OK".

SPF and DMARC are valid, no problems with that.

I already tried to generate DKIM keys in different websites specialized to generate DKIM and I have exactly the same problem with any generated DKIM.

The /etc/resolv.conf file it's ok, nameservers are the same as in other domains where DKIM does work.

My current DKIM key is 2048

Some tests I've done:

• dkimcore:

​

• dkimvalidator:

​

• mxtoolbox:

​

​

As you can see in previous screenshots, DKIM public record is valid, the problem may be the DKIM signature. I read somewhere that key size and the size of the signature should be the same, but I don't know how to modify the signature.

The publickey in the DNS (default._domainkey.awp1.com) seems to be a 1024 bit long RSA key (link to decoded key)
The length of the RSA signature in the DKIM signature (the b-tag, base64 encoded) is 2048 bit.
But for RSA, the key size and the size of the signature should be the same.
OpenSSL wherefore rightfully complains about the signature size (2048 bit) being to large for used key (1024 bit).

Different headers I got when trying to send an email from the problematic domain:

• Gmail:

​

• Outlook:

​

• My own Zimbra mail server:

​

I tried to censor/anonymize data as domains, IP addresses, etc... If you need an uncensored version of any of the screenshots just let me know.

I saw this external post and exactly the same problem is described there: DKIM fail - SmarterTools
Please help me, I've been trying to solve this. Thanks in advance.

 

[cmartinez127]

I forgot to mention that this domain uses an external DNS provider. Plesk DNS zone is enabled but this is may not be the problem because both DNS zones have the same records and the website works with both DNS zones enabled.

 

[WebHostingAce]

If you are using external DNS provider, Please make sure to to have both _domainkey and the default._domainkey exactly as currently in Plesk DNS.

As far as I can see from the image provided above, default._domainkey does not look correct.

 

[cmartinez127]

If you are using external DNS provider, Please make sure to to have both _domainkey and the default._domainkey exactly as currently in Plesk DNS.

As far as I can see from the image provided above, default._domainkey does not look correct.

Where is the mistake? I don't know what I'm missing.

In both DNS zones _domainkey and the default._domainkey look like the same for me.



In tools like whatsmydns, when checking TXT records I noticed it doesn't get the DKIM record but if I go to mxtoolbox or dkimcore.org these will print the DKIM record (key is good, signature is bad).
This isn't normal, for any other domain will print the DKIM record.

 

[WebHostingAce]

Please re-copy paste the default._domainkey from the Plesk DNS.

 

[cmartinez127]

Please re-copy paste the default._domainkey from the Plesk DNS.

I solved it!

Since this domain uses an external DNS provider, I just had to use the DKIM record provided by Plesk for external DNS servers.
(domain.es > Mail > Mail Settings > How to configure external DNS)


Thank you for helping!

 

[cmartinez127]

I don't know how to tag this post as solved.