Failing DKIM when sending postfix email

dkim

I set up a postfix/dovecot server. My ISP blocks outbound port 25, so I use an SMTP relay (mailjet).

When I send an email to gmail, it ends up in the "promotions" category which is effectively the spam folder. How can I fix this?

Closer inspection shows google reports "DKIM: 'FAIL' with domain example.com".

Throughout this post these replacements are applied:

  • IP is replaced with XX.YY.ZZ.AA,
  • domain is replaced with example.com,
  • long arbitrary strings are replaced with ...

The SMTP relay suggested setting up SPF and DKIM. They provided some strings to add to DNS TXT records which I have done. Mailjet recognizes that the SPF and DKIM records look good.

The strings look like this:

example.com                        TXT    v=spf1 include:spf.mailjet.com ?all
mailjet._domainkey.example.com     TXT    k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...

dig example.com txt shows

$ dig example.com
...
;; ANSWER SECTION
example.com.   21600    IN   TXT   "v=spf1 include:spf.mailjet.com ?all"

This is what I think are interesting parts of the email header

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b="mF/BgIdk";
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b=YabQjQKu;
       spf=pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from o137.p9.mailjet.com (o137.p9.mailjet.com. [XX.YY.ZZ.AA])
Received-SPF: pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) client-ip=XX.YY.ZZ.AA;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b="mF/BgIdk";
       dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b=YabQjQKu;
       spf=pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=example.com; [email protected]; s=mailjet;
  ...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=bnc3.mailjet.com; s=mailjet;
  ...
Return-Path: <[email protected]>
From: Stewart <[email protected]>

I've been following a fantastic setup guide. There is a section aboput creating DKIM/SPF records, but I have ignored that because I followed the suggestions by the SMTP relay. Should I follow this guide and include SPF/DKIM records for my domain plus my SMTP relay or should I only have records for my SMTP relay? i.e does it make sense to have default._domainkey.example.com and mailjet._domainkey.example.com records?


Solved the problem. It wasn't anything to do with my SMTP relay, or my postfix server. I might be the only person in the world who will have the problem, but in the off chance I'm not I hope someone else can benefit from this answer.

My emails are signed with a PGP signature in my email client. Somehow attaching the PGP signature corrupted the way DKIM hashed the body. If I do not sign my emails in my email client, then the DKIM is valid.

I don't know if this is specific to my setup, but I've filed a bug report with the SMTP relay.

Related

Unable to copy files from remote source folder to local through GPO
What is the purpose of having 2 Cisco ASA 5500-X Series Firewall in a Network?
Couldn't work ccxt package [closed]
How long should accounts be deactivated before being deleted?
Getting Nginx to serve to two websites (mapped to two external IP addresses)
MariaDB memory spikes and crash
csf: how to override TCP_IN?
How to combine squid reverse proxy with nginx proxy for shiny-server
Openldap - slap_access_allowed: auth access denied by =0 - Not able to authenticate user
MariaDB galera cluster, add node without interruption
Android app is published, but not visible anywhere in Google Play
How to split a video using FFMPEG so that each chunk starts with a key frame?