I updated the defaultdomain and defaulthost files in /var/qmail/control/ to iwtelecom.com.br and restarted qmailtoaster.
Gmail it is still checking dkim for app1.iw.net.br (hostname).
Any idea what more files to check?

Here it is some part of the headers:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@app1.iw.net.br header.s=dkim1 header.b=KdM7MJMS;
       spf=pass (google.com: domain of sender at iwtelecom.com.br designates as permitted sender) smtp.mailfrom=sender at iwtelecom.com.br;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=iwtelecom.com.br
Return-Path: <sender at iwtelecom.com.br>
Received: from app1.iw.net.br (mail.iwtelecom.com.br. [])
        by mx.google.com with ESMTPS id a76si2719168qkg.65.2019.
        for <receiver at gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 22 Jan 2019 12:18:57 -0800 (PST)

Em 22/01/2019 13:01, Remo Mattei escreveu:
I am pretty sure you have something miss-configured.

I have this working but you also need to see if you have the default correct. I will share what I have done and I know it works since I have done it in 2 servers now.


On Jan 22, 2019, at 03:36, Leonardo Porto <leonardo.po...@iw.net.br <mailto:leonardo.po...@iw.net.br>> wrote:


This machine was using my authoritative slave and for some reason it did not update the zone yet.
I changed the resolver then:

opendkim-testkey: checking key 'dkim1._domainkey.iwtelecom.com.br <http://domainkey.iwtelecom.com.br>'
opendkim-testkey: key OK

But I found something else: when I send a message the destination server is not checking my sender's domain key, it is checking my server's hostname instead, wich is app1.iw.net.br <http://app1.iw.net.br>.

So I had to create to more records: dkim1._domainkey.iw.net.br <http://domainkey.iw.net.br> and dkim1._domainkey.app1.iw.net.br <http://domainkey.app1.iw.net.br>

Now Gmail says DKIM is ok:

DKIM:    'PASS' com o domínio app1.iw.net.br <http://app1.iw.net.br>

Em 21/01/2019 20:47, Eric Broch escreveu:

I figured it out at least on my host as to why one would get 'record not found'.

My mail host has entry in resolv.conf 'nameserver'

I have named config file for my domain to resolve to this mail host, 192.168.x.x


# opendkim-testkey -vvv -d whitehorsetc.com <http://whitehorsetc.com>  -k /var/qmail/control/dkim/whitehorsetc.com.key -s dkim1

yields 'record not found'

when I change resolv.conf to external nameserver (

# opendkim-testkey -vvv -d whitehorsetc.com <http://whitehorsetc.com>  -k /var/qmail/control/dkim/whitehorsetc.com.key -s dkim1

yields 'key OK'

You must add a TXT record to whichever DNS server your mail host is using.

On 1/21/2019 10:41 AM, Eric Broch wrote:

Maybe restart your named server.

On 1/21/2019 4:58 AM, Leonardo Porto wrote:

Looks like I was checking it the wrong way, the correct is:

# dig dkim1._domainkey.iwtelecom.com.br <http://domainkey.iwtelecom.com.br> TXT
dkim1._domainkey.iwtelecom.com.br <http://domainkey.iwtelecom.com.br>. 86400 IN TXT "v=DKIM1\; k=rsa\; p=blabla...blabla"

Checking the key at https://dkimcore.org/tools/ looks fine also.

The opendkim-testkey still shows the error though.

Em 17/01/2019 18:30, Leonardo Porto escreveu:

Hi everyone,

I'm doing the DKIM step for a new server and when I test my DKIM signature I receive the error:

# opendkim-testkey -vvvv -d iwtelecom.com.br <http://iwtelecom.com.br> -k /var/qmail/control/dkim/global.key -s dkim1
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: /var/qmail/control/dkim/global.key: WARNING: unsafe permissions
opendkim-testkey: key loaded from /var/qmail/control/dkim/global.key
opendkim-testkey: checking key 'dkim1._domainkey.iwtelecom.com.br <http://domainkey.iwtelecom.com.br>' *opendkim-testkey: 'dkim1._domainkey.iwtelecom.com.br <http://domainkey.iwtelecom.com.br>' record not found*

I created the record in the domain zone like bellow:

dkim1._domainkey IN      TXT     "v=DKIM1; k=rsa; p=bla...bla"

But it does not work when I try to resolve it:

dig dkim1._domainkey.iwtelecom.com.br <http://domainkey.iwtelecom.com.br>

And it is not shown when I try:

dig +noall +answer iwtelecom.com.br <http://iwtelecom.com.br> any

Only the SPF record... I used the named-checkzone and everything looks fine, what am I doind wrong?

Eric Broch
White Horse Technical Consulting (WHTC)
Eric Broch
White Horse Technical Consulting (WHTC)

Reply via email to