Failing DKIM when sending postfix email

I set up a postfix/dovecot server. My ISP blocks outbound port 25, so I use an SMTP relay (mailjet).

When I send an email to gmail, it ends up in the "promotions" category which is effectively the spam folder. How can I fix this?

Closer inspection shows google reports "DKIM: 'FAIL' with domain example.com".

Throughout this post these replacements are applied:

  • IP is replaced with XX.YY.ZZ.AA,
  • domain is replaced with example.com,
  • long arbitrary strings are replaced with ...

The SMTP relay suggested setting up SPF and DKIM. They provided some strings to add to DNS TXT records which I have done. Mailjet recognizes that the SPF and DKIM records look good.

The strings look like this:

example.com                        TXT    v=spf1 include:spf.mailjet.com ?all
mailjet._domainkey.example.com     TXT    k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...

dig example.com txt shows

$ dig example.com
...
;; ANSWER SECTION
example.com.   21600    IN   TXT   "v=spf1 include:spf.mailjet.com ?all"

This is what I think are interesting parts of the email header

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b="mF/BgIdk";
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b=YabQjQKu;
       spf=pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from o137.p9.mailjet.com (o137.p9.mailjet.com. [XX.YY.ZZ.AA])
Received-SPF: pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) client-ip=XX.YY.ZZ.AA;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b="mF/BgIdk";
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b=YabQjQKu;
       spf=pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=example.com; [email protected]; s=mailjet;
  ...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=bnc3.mailjet.com; s=mailjet;
  ...
Return-Path: <[email protected]>
From: Stewart <[email protected]>

I've been following a fantastic setup guide. There is a section aboput creating DKIM/SPF records, but I have ignored that because I followed the suggestions by the SMTP relay. Should I follow this guide and include SPF/DKIM records for my domain plus my SMTP relay or should I only have records for my SMTP relay? i.e does it make sense to have default._domainkey.example.com and mailjet._domainkey.example.com records?


Solved the problem. It wasn't anything to do with my SMTP relay, or my postfix server. I might be the only person in the world who will have the problem, but in the off chance I'm not I hope someone else can benefit from this answer.

My emails are signed with a PGP signature in my email client. Somehow attaching the PGP signature corrupted the way DKIM hashed the body. If I do not sign my emails in my email client, then the DKIM is valid.

I don't know if this is specific to my setup, but I've filed a bug report with the SMTP relay.