Here is the setup where I encounter my issues :

My computer has the IP 10.6.2.5. There is a DNS server ns.isp6.lab with the IP 10.6.2.4 (I can reach it).

My computer has Postfix + Dovecot + SpamAssassin installed. I receive emails signed with DKIM from the domain isp6.lab. They're signed with this domain key : mail._domainkey.isp6.lab

When I do dig mail._domainkey.isp6.lab TXT I get an answer with the public RSA key.

The problem is that Spammassassin doesn't find it, here is a part the header of a received email :

X-Spam-HAM-Report: 
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*      valid
*  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

So I activated the debug logs in SpamAssassin and here is what I found :

cat spamd.log | grep dkim

Tue Oct  7 16:38:50 2014 [21673] dbg: dkim: performing public key lookup and signature verification
Tue Oct  7 16:39:00 2014 [21673] dbg: dkim: DKIM, [email protected], d=isp6.lab, s=mail, a=rsa-sha256, c=relaxed/simple, invalid, matches author domain
Tue Oct  7 16:39:00 2014 [21673] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR MAIL._DOMAINKEY.ISP6.LAB)

I checked my /etc/resolv.conf: domain isp6.lab search isp6.lab nameserver 10.6.2.4

I am now searching for hours on this issues (it doesn't seem well documented), I checked that I had all CPAN required modules, etc; I really have no idea what else I could do.

Thanks in advance for your help.

Edit : Maybe something can be done in the NET::DNS module? I don't really understand how all these modules are used, configured, and interact with each other.


Solution 1:

Maybe you hit bug related with NET::DNS and spamassassin. It explained in this blog and this SA mailing list. The excerpt from the blog

Net::DNS version 0.76 changed the field name holding a set of nameservers in a Net::DNS::Resolver object: it used to be ‘nameservers’, but is now split into two fields: ‘nameserver4′ and ‘nameserver6′.

Mail/SpamAssassin/DnsResolver.pm relied on the internal field name of a Net::DNS::Resolver object to obtain a default list of recursive name servers, so the change in Net::DNS broke that.

Solution:

Check your repo, if they have fixed the issue in newer release. If not, you can apply the patch manually from here