OK, I should get a prize for the World's Longest Subject Line. But, while these tips can be used across the board, I wanted to mention some specific problems that we had with this. Our email had been working fine, DKIM and SPF had been set up properly according DMarcly.com's tests. Then in late December, GMail started rejecting our email, saying our DKIM/SPF *wasn't* right.
(Be warned: this is something you're going to run across more and more in the future. Trying to kill spam anyway they can, these big email providers use the "hammer to kill a house fly" approach.) This is in two parts:
1 - GMail rejecting our Zimbra email, claiming that DKIM/SPF weren't set up properly
2 - The way GoDaddy does DNS records.
Incidentally, while I was investigating, I Googled "DKIM txt or cname in DNS?" The first hit was a site that insisted that the RFC for DKIM says, "TXT" (i.e., plain text) record. The 2nd or 3rd hit said, "Microsoft wants a CNAME ("common name") record. Image may be NSFW.
Clik here to view.
So, there you go. I use TXT. I resolved the problem and I'd like to share how I did it.
I'm going to assume that you've set up DKIM properly (or at least, thought you had), following something like the walkthroughs at
https://wiki.zimbra.com/wiki/Configurin ... IM_Signing
-- and --
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC
Better yet, let's say it has been working, but has now stopped for no apparent reason. Someone is now rejecting your emails due to DKIM or SPF errors.
Step One: send some emails through Zimbra to other accounts. Look at the full headers for your DKIM signature, which will look something like "DKIM-signature v=1 rsa=sha256 [some other options], finally, with the full public DKIM key, which will look like several lines of gibberish. If you don't see that, as the Zimbra user, make sure it's enabled:
If the DKIM signature now appears in your email header, you may have fixed the problem. I once had the opendkim Zimbra service stop working after an update. I reenabled it and the header did reappear.
Step Two: check to make sure the correct signature is in your TXT record at your DNS registry. While you're there, check your SPF, too. You can get the current selector and the key that Zimbra is using with.
.. and if you're running an OS like Linux, you can see what DNS returns with nslookup or dig in a terminal:
Enter it exactly as shown (with your selector and domain name, of course), including any underscore(s) and periods.
Step Three: if you're using GoDaddy, they do their registry a bit differently from many others. The "mail.mydomain.com" record will typically be part of the main "A" (mydomain.com) entries at GoDaddy. All of the registrars I've used in the past wanted a separate DNS record for the mail server, so you'd have at least TWO entries: one for "mydomain.com" and a separate one for "mail.mydomain.com."
The thing to remember is that both the DKIM and SPF records will go in the main "A" record! They do NOT go with the "mail.mydomain.com" record(s), if they are separate. This is because of the way that email works: the sending MTA looks at yourname@mydomain.com and pulls up the IP address (and other info) for "mydomain.com." That will INCLUDE the "mx" (mail exchange) spec, which tells the sender to look up the IP address of THAT host (in this case, "mail.mydomain.com"). But the DKIM and SPF records are supposed to be pulled from the *primary* domain name.
Hope this helps. Sorry it was so lengthy, but if it bails someone out of a similar situation in the future, it was worth it.
(Be warned: this is something you're going to run across more and more in the future. Trying to kill spam anyway they can, these big email providers use the "hammer to kill a house fly" approach.) This is in two parts:
1 - GMail rejecting our Zimbra email, claiming that DKIM/SPF weren't set up properly
2 - The way GoDaddy does DNS records.
Incidentally, while I was investigating, I Googled "DKIM txt or cname in DNS?" The first hit was a site that insisted that the RFC for DKIM says, "TXT" (i.e., plain text) record. The 2nd or 3rd hit said, "Microsoft wants a CNAME ("common name") record. Image may be NSFW.
Clik here to view.
So, there you go. I use TXT. I resolved the problem and I'd like to share how I did it.I'm going to assume that you've set up DKIM properly (or at least, thought you had), following something like the walkthroughs at
https://wiki.zimbra.com/wiki/Configurin ... IM_Signing
-- and --
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC
Better yet, let's say it has been working, but has now stopped for no apparent reason. Someone is now rejecting your emails due to DKIM or SPF errors.
Step One: send some emails through Zimbra to other accounts. Look at the full headers for your DKIM signature, which will look something like "DKIM-signature v=1 rsa=sha256 [some other options], finally, with the full public DKIM key, which will look like several lines of gibberish. If you don't see that, as the Zimbra user, make sure it's enabled:
Code:
zmprov ms `zmhostname` +zimbraServiceEnabled opendkim ./libexec/configrewrite opendkimStep Two: check to make sure the correct signature is in your TXT record at your DNS registry. While you're there, check your SPF, too. You can get the current selector and the key that Zimbra is using with
Code:
/opt/zimbra/libexec/zmdkimkeyutil -q -d mydomain.com .. and if you're running an OS like Linux, you can see what DNS returns with nslookup or dig in a terminal:
Code:
dig txt [your_selector]._domainkey.mydomain.commonStep Three: if you're using GoDaddy, they do their registry a bit differently from many others. The "mail.mydomain.com" record will typically be part of the main "A" (mydomain.com) entries at GoDaddy. All of the registrars I've used in the past wanted a separate DNS record for the mail server, so you'd have at least TWO entries: one for "mydomain.com" and a separate one for "mail.mydomain.com."
The thing to remember is that both the DKIM and SPF records will go in the main "A" record! They do NOT go with the "mail.mydomain.com" record(s), if they are separate. This is because of the way that email works: the sending MTA looks at yourname@mydomain.com and pulls up the IP address (and other info) for "mydomain.com." That will INCLUDE the "mx" (mail exchange) spec, which tells the sender to look up the IP address of THAT host (in this case, "mail.mydomain.com"). But the DKIM and SPF records are supposed to be pulled from the *primary* domain name.
Hope this helps. Sorry it was so lengthy, but if it bails someone out of a similar situation in the future, it was worth it.
Statistics: Posted by spoole — Sun Jan 07, 2024 1:12 am