opendkim-testkey: key not secure
I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature
header.
TXT
record on the authorative dns is set up like this:
┌───┐
│ # │ root > server > ~
└─┬─┘
└─> delv -t txt dkim-domain._domainkey.domain.eu
...
...
dkim-domain._domainkey.domain.eu. 1780 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8drA4hH8gJaVpLaHhtQonhpOeanMo/oPmrAVehP3lBYAjsoxifCIclLqJo7kk0maelqu9SIN9ttQ0boCzEiQBMO1" "c1P+Sj/PxphZB71c8VNhqMJ32VG6Ky3ZD4Tds39Vye/wsWdi+842MUT3Z2dJnxS2AAG4pSkjaytFPCs0J94OUQC0tDErbnsMZh+gg+7IsYgND8FR/cRDzpXjD0qFJk4Cnc1q27WorPAGAiRsRfLt9u" "gkYgQRwapnofmKJ3hk/L8096YR7gan60L4+RGojsx5ppTdIEhYasyK9MokefmVeNyGwVXTJchqG8vhcg9uGjGy9mPiPg4B2TQgEBPwyQIDAQAB"
...
...
So on first glance everything is okay but when I run the diagnostics on my machine it says this:
┌───┐
│ # │ root > server > ~
└─┬─┘
└─> opendkim-testkey -d domain.eu -s dkim-domain -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'dkim-pistam._domainkey.pistam.eu'
opendkim-testkey: key not secure
opendkim-testkey: key OK
Note the key not secure
answer. I read from this answer that warning exists because DNSSEC is not enabled. But DNSSEC for my domain domain.eu
is enabled. according to the DNSViz.
ADD:
It may be that the topic I linked to earlier is missleading, because I later read an answer here, suggesting that warning is due to too permissive privileges regarding the key pair! I set user rights on the key pair and their folder like this:
┌───┐
│ # │ root > server > ~
└─┬─┘
└─> ls -l /etc/opendkim/keys/
total 8
-rw------- 1 opendkim opendkim 1675 Dec 30 08:45 dkim-rsa-private.key
-rw------- 1 opendkim opendkim 451 Dec 30 08:46 dkim-rsa-public.key
┌───┐
│ # │ root > server > ~
└─┬─┘
└─> ls -ld /etc/opendkim/keys/
drwx------ 2 opendkim opendkim 4096 Jan 1 07:18 /etc/opendkim/keys/
So it should be secure... But it is not.
Solution 1:
As also explained in my other answer, key not secure
in this context indicates that OpenDKIM was not able to authenticate the key using DNSSEC.
You have to ensure that OpenDKIM can make use of DNSSEC. For example, on Debian and Ubuntu, the default /etc/opendkim.conf file contains the following setting, which enables DNSSEC capabilities:
TrustAnchorFile /usr/share/dns/root.key