DKIM FAIL with domain null in GMail

domain-name-system email dkim gmail

I'm getting a DKIM: FAIL with domain null error in GMail. When I go to See Original in GMail, I get dkim=fail [email protected];.

In my DNS I have the following TXT Records:

DMARC TXT Entry: _dmarc v=DMARC1;p=reject;sp=reject;rf=afrf;pct=100;ruf=mailto:[email protected];rua=mailto:[email protected];ri=86400

SPF TXT Entry: example.com

v=spf1 +a +mx +ip4:70.xxx.xxx.xxx +ip4:71.xxx.xxx.xxx +ip4:72.xxx.xxx.xxx ~all

DKIM TXT Entry: _default._domainkey

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/HYr74H9Ty6HjTpjawYIfiDa7kOPx+0GJiw4rw7IYkfvrfrLojmGLuS4lg3NbIqYmLg9Ziz77q9vVT15ftrFB1+lTz6+Ei19b6AM8FGCJoDWRHRwB+YN0InJaFs/kPfy1SktqQI8TntPNfH2+tTOUrIT1gi8fjwSnfSkUsbNuSpIp3XrAU6pYzEjXF2h1A3UMFV+7+jLRzEvunj2YCsJ3vaifTihat+Nsw7eP5L2iAzW8b0joP3z6k/UkhUa7/35oNC4Xn1dY532irsBunMJz9QsBxIaNpepiZZkTxfglsq2RP4FWGZbiVFRDDcvsnpi4kFx3eAQtAoo+szLA70FQIDAQAB

I tested my records via https://www.mail-tester.com/spf-dkim-check and http://dkimcore.org/tools/keycheck.html and it all checks out. Public Key is 2048-bit. I read the GMail was failing DKIM with smaller keys.

I also tested it with http://unlocktheinbox.com and at the DKIM Validation Check it says:

Signature Found:    Yes
SmarterMail DKIM Test:  Failed - Bad Signature
MailBee.NET DKIM Test:  Failed - SignatureInvalid

GMail doesn't seem to have any issues with my SPF and DMARC. Here's the authentication-results for those:

spf=pass (google.com: domain of [email protected] designates 70.xxx.xxx.xxx as permitted sender) [email protected];


dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

My emails are hosted/sent from http://inmotionhosting.com. My DNS is at CloudFlare.

What am I doing wrong or missing here?

Thanks!


Solution 1:

Check the DKIM signature in the header. The diagnostic messages seem to indicate that the domain field (d=) is empty or missing. Ensure you are supplying your domain when you sign the emails. The DKIM header should look something like the following: 

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=example.com; s=201602; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Date:Message-ID:Subject:From:To;
    bh=GUIz2zzhMS1zh+o3BSEHOEq5KPzYRRlG+wqnc7+1vNM=; b=Q0LXbOPly2f1Ns6kpuS5e6dykT
    mefOZ8WX5tzNR0jD4Mqttg9IDutAE25M3FR+1UXcnakHCIsj+ELuoqafHvu/1av6vvAhZXMudoo/V
    wz3FDWwUnOroIaDPLvSR9RgBA/SHpPL9REEpCtN5WDnWDQK4P69CygrX+zbyh60aZVhE=;

Solution 2:

Try removing quotation marks from the TXT, if you have them.

That is: replace "v=DKIM1; ..." with v=DKIM1; ... in your TXT DNS entry.

For me, this solved the topic's error message. I used Cloudflare as DNS.

I got hang of it with https://mxtoolbox.com (dkim:example.org:mail).

With quotation marks, the tool didn't recognize the DKIM1 "TagValue" and showed "Unknown" in the "Name" column.

But, without quotation marks, that column turned into "Version" and "Description" into "The DKIM record version."

And Gmail Show original turned into "PASS with domain example.org".

Related

Use Nginx proxy pass (reverse proxy) to serve an Apache hosted site with SSL
Retire internal Windows root CA
NGINX Ingress on Kubernetes doesn't use HTTPS
How to "ignore" username and password prompt in net use
What is the limitation on what records a .com domain can have?
FastCGI to improve TTFB when Using NGINX to reverse proxy?
How many times does switch calculates FCS?
Understanding buff/cache and tmpfs relationship on a read only filesystem with no swap
Restrict using Azure Service Principal by Humans
Setting CPU frequency to hardware minimum limit - will it harm the hardware?
How to *actually* exclude a directory in AWS S3 sync?
Strange behaviour with numbers that have a leading zero [duplicate]