Failing DKIM when sending postfix email
I set up a postfix/dovecot server. My ISP blocks outbound port 25, so I use an SMTP relay (mailjet).
When I send an email to gmail, it ends up in the "promotions" category which is effectively the spam folder. How can I fix this?
Closer inspection shows google reports "DKIM: 'FAIL' with domain example.com".
Throughout this post these replacements are applied:
- IP is replaced with
XX.YY.ZZ.AA
,- domain is replaced with
example.com
,- long arbitrary strings are replaced with
...
The SMTP relay suggested setting up SPF and DKIM. They provided some strings to add to DNS TXT records which I have done. Mailjet recognizes that the SPF and DKIM records look good.
The strings look like this:
example.com TXT v=spf1 include:spf.mailjet.com ?all
mailjet._domainkey.example.com TXT k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...
dig example.com txt
shows
$ dig example.com
...
;; ANSWER SECTION
example.com. 21600 IN TXT "v=spf1 include:spf.mailjet.com ?all"
This is what I think are interesting parts of the email header
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b="mF/BgIdk";
dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b=YabQjQKu;
spf=pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from o137.p9.mailjet.com (o137.p9.mailjet.com. [XX.YY.ZZ.AA])
Received-SPF: pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) client-ip=XX.YY.ZZ.AA;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b="mF/BgIdk";
dkim=neutral (body hash did not verify) [email protected] header.s=mailjet header.b=YabQjQKu;
spf=pass (google.com: domain of [email protected] designates XX.YY.ZZ.AA as permitted sender) [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
d=example.com; [email protected]; s=mailjet;
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
d=bnc3.mailjet.com; s=mailjet;
...
Return-Path: <[email protected]>
From: Stewart <[email protected]>
I've been following a fantastic setup guide. There is a section aboput creating DKIM/SPF records, but I have ignored that because I followed the suggestions by the SMTP relay. Should I follow this guide and include SPF/DKIM records for my domain plus my SMTP relay or should I only have records for my SMTP relay? i.e does it make sense to have default._domainkey.example.com
and mailjet._domainkey.example.com
records?
Solved the problem. It wasn't anything to do with my SMTP relay, or my postfix server. I might be the only person in the world who will have the problem, but in the off chance I'm not I hope someone else can benefit from this answer.
My emails are signed with a PGP signature in my email client. Somehow attaching the PGP signature corrupted the way DKIM hashed the body. If I do not sign my emails in my email client, then the DKIM is valid.
I don't know if this is specific to my setup, but I've filed a bug report with the SMTP relay.