HOW TO: Easy Set Up DKIM signatures on Hmailserver

This section contains user-submitted tutorials.
User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2016-03-16 12:53

This procedure details how easy it is to achieve and how to implement it (in 5 easy steps, and I mean EASY). Other instructions are also available throughout the forum offering similar and different methods. This guide is a simplified yet complete write-up following the easiest method. (Thank you to @Mattg for the initial guidance).

1, CREATE THE KEYS

This step will take you through creating keys using a seemingly trustworthy online key generator. However, for those of a more nervous disposition about security, and who want be in control of creating such keys without the use of the internet (involving downloading of OpenSSL software), then an alternative method for creating the keys can be found here: http://www.dataenter.com/doc/general_domainkeys.htm - then continue to apply the generated key strings accordingly (from step (2) below).

i, Go to https://d-fault.nl/dkimgenerator

ii, Fill out the form accordingly:
  • Domain name of the “From:” header address....: enter your domain (eg, YOURDOMAIN.COM)
  • DomainKey Selector (e.g., key1): enter "dkim" (without the quotes. We will be referring to this choice of key word later)
  • Key Length in bits: 1024
Note: you may choose 2048bits but this will result in a longer key. However, many DNS servers will not accept the record length of this key as it will be too long and its likely you are unaware of your servers limitation until after you try it. (This happened to me). So I advise to enter just 1024 bit to be sure.

  • Settings:

    Require a domain match: Tick

    Add key length note tag: Untick (not necessary)

    Escape semicolons: Important Note: if you are using/administering a BIND dns server then the semicolons (';') need to be 'escaped' with a backslash and entered as '\;' - in this case you will need to Tick this setting.
iii, Click 'Generate'


2 keys will be generated on screen. The first one will be the PRIVATE KEY:

eg,
-----BEGIN RSA PRIVATE KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut
3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6
e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFs
wCU/suTcTK0+uMV1ewIDAQAB

-----END PRIVATE KEY-----
and the second will be incorporated in to a TXT record which is for your DNS entry:

eg
dkim._domainkey.YOURDOMAIN.COM IN TXT "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB"
2, UPDATE YOUR DNS RECORD WITH THE DKIM KEY

Go to your DNS records portal/administration to amend your domain DNS records and add a TXT record under your domain copying the text details as appearing under the TXT RECORD:

i, Create a TXT record against your domain in DNS with the following entry:
  • key: dkim._domainkey.YOURDOMAIN.COM (as it is shown in the TXT record)
    Note: GoDaddy users may need a shorter version - see here for a users experience.
  • Value: Copy the remainder of the TXT record as they appear in the quotes

    eg, v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg...The_Long_String_Of_Text

    (ensure the single spaces between parameters are included)
ii, Save your new record

iii, You may now test for the DNS record to see if it has been accepted by using online DNS Query facilities such as this one: http://www.dnswatch.info/.

Enter:
  • Hostname or IP: dkim._domainkey.YOURDOMAIN.COM
    Type: TXT
The results should now show an entry similar to
dkim._domainkey.YOURDOMAIN.COM.

TXT 300

v=DKIM1;t=s;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB
(note that there is no 'escaped' semicolon - if there is then you should re-enter your DNS record without the backslashed semicolon - recreate your record unticking the "Escape Semicolon" option.)

3, CREATE THE PRIVATE KEY ON YOUR HMAILSERVER

i, Create a blank text file (with Notepad, for example) and paste in the first part of the block (the -----PRIVATE KEY-----) as appears on the website:

eg
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1RKKds55yyGSS/h47+4LMpyz08yqf2zzIS86UYr2KAry1b8Q
+F4Aa03+YA6NZbzWnUepaKVG5Fmd0RxAqbwRCvr/KxoNbs2oHWHR3LaXEsr96zkl
wCV6XxciNDWkC9iDnrCOb8J/ihQM5kUMRJdvYtJMtZivyi7c6DFSN7aMdDO2Vu96
RybbCUSjXxNFFjgE8fY57E7zJFOHPDCxJpfmVDxPKJqHyGpTKDmiywtTMLgH7Nsy
eR2OSn+2tDja6VWvuiq6EfZ5sRWmV2dn0KWVbTSjH74BI9OOPK3LfKQfLQ4iUnPF
Wf7IC29jggKg/PBMuXcp5qo5ZIFy5f8Z1SZgD+kpgGkxw42bJl7olaFRayu5rJH8
Fa6a99Y5/i7EI9jYas7WHP0lxM6rZlUyWE4pB5DPRDqDCbesuEV5DmHROVlfSgpH
sHaeNGbfHCYDngg5KvAUxLECgYEAnh+c5HHm4X13JSsm6ScBQW7HDB0fNP7W13iS
Petie/HsQE+0xgDEKfGm/DgAAIErTz6pfjpXX9dQs/O+aY5LNh0PTduO+g2fS0qy
bwu4VU9vSu1WFMWS+fLCSBpePRiWjCRN5uDH7ZQUOqu0WVEN3Y1k43uTiFUgvppr
TRQOyB0CgYBU9Pl2tMVV02pnZeZGsYv7RykMJ4xhD9urVxtMCI76H6xHAbJcnXy0
NMXqxfK5iAJFR1ffkAIti/v6dUlgg+4sCJExJFmawpe0PV/mARrHLkSCcHxTvnS0
sGqiP8TQKVRCvkwOhp/dgabfNoiOE3QWAzpngZLjfeoH0P+SYaBN/g==
-----END RSA PRIVATE KEY-----


ii, Save this file as "dkim.YOURDOMAIN.COM.pem".

I recommend saving this file in to the DOMAIN folder off the root of your data directory (where the email files are held in sub folders).

eg d:\pathto\HMSdatafolder\YOURDOMAIN.COM\dkim.YOURDOMAIN.COM.pem

This way the the domain specific key will be saved with your data backups and thus avoiding configuration problems on restore.


4, CONFIGURE HMAILSERVER

i, In Hmailserver admin go to: DOMAINS - 'mydomain.com' - "DKIM Signing"
  • Tick 'Enabled'

    Private Key File: browse and point to dkim.YOURDOMAIN.COM.pem as saved in step (3ii)
    eg, d:\pathto\HMSdatafolder\YOURDOMAIN.COM)

    Selector: "dkim"

    Header method: relaxed

    Body method: relaxed

    Signing algorithm: SHA256
Click SAVE.

5, TEST

Send an email to an external address that you can receive and view (eg, a Gmail, Yahoo etc address). Upon receiving it, use your portal/email client functions to view the "Message Source" or 'full headers'. Within the headers there should be something like:
Authentication-Results: mta1323.mail.ne1.yahoo.com from=MYDOMAIN.COM; domainkeys=neutral (no sig); from=MYDOMAIN.COM; dkim=pass (ok)
Further down in the headers where your Hmailserver initially starts the delivery, there should be a 'received' header similar to:
Received: from 127.0.0.1 (EHLO mail.mydomain.com) (123.45.67.89)
by mta1323.mail.ne1.yahoo.com with SMTPS; Wed, 16 Mar 2016 09:13:38 +0000
dkim-signature: v=1; a=rsa-sha256; d=mydomain.com; s=dkim;
c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
bh=pVMggf6ACj7Jh1zg8lMTWup8MzcMJg8v5gp1MijD6II=;
b=d+w4QzQFvsLa7Jt0gUoqI+Eu4X8QudR/HcxtxL0e/oloZWD9K1ZdmOVYEWZVYE3RvfvuosFlZ0DTQvF3Ok17yYEqkqeoyoSmp8BEUYEuRmTYELDrDe1ooYyVBdQHOFZqVMZLqMPgETYEhs1EEy4e3lEorEZ0R51wLSDY1PMbkK25XtxBs
If you have the DKIM signature, and you have the DKIM=PASS in the "Authentication Results" header, then youre done!

Take note: A user once reported that adding a signature (in Hmailserver) was breaking his DKIM validation for http://dkimvalidator.com/ and therefore possibly for some receiving mail servers whilst it was passing for others (GMail,Yahoo etc passed the DKIM). Its worth reading his cause and conclusion here: viewtopic.php?p=200485#p200485 to show how to prevent this problem with signatures.

Warning:

I have DKIM set up (as per the above instructions) and receive a "DKIM=PASS" on all tests with online DKIM/email checkers and email providers I try....that is all EXCEPT Microsoft's Outlook/Hotmail! (surprise surprise). Even when the same email is CC'd to Hotmail and a Yahoo addresses (for example), or even have Hotmail accept it and forward it on to a Yahoo address, only the Microsoft servers chooses to fail and continue to issue 'dkim=fail' (and they are still unable to explain why.) Despite this, and probably because of our domains 'good reputation' and SPF records, it doesnt affect delivery of our emails to their INBOX. But you should be aware and maybe check/test yourself to determine what the results are for your domain when sending to an Outlook/hotmail address. If you do suffer from Microsoft-run email services from JUNKing your emails, then read this article (with direct link) for explanations and possible options: viewtopic.php?p=184321#p184321.

EDIT: MICROSOFT ALSO GIVES A DKIM=PASS: A few days later after the initial implementation and results above, I did further tests. Microsoft servers give DKIM=FAIL if the BODY of your text is blank - if the body is not blank (which is normally the case in most emails) then they also gave DKIM=PASS. This was true for both plain text and html/richtext email bodies. (My initial test emails just contained recipient address and a subject (eg "test 1") and didnt have a body text.). Phew. Wierd, but phew!
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by Dravion » 2016-03-16 13:00

Great work!

User avatar
modiX
Normal user
Normal user
Posts: 41
Joined: 2016-03-06 21:21

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by modiX » 2016-03-17 22:14

Ok I could not resist and tried this.

The dkim signature got attached, but in the top of the mail behind Authentication-Results it's not "dkim=pass", it's "dkim=permerror header.d=***.com".

What does this mean? The signature below looks right to me.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2016-03-17 22:21

You must have mistyped/misread/mishandled some of the data somehow and perhaps not set the dns record correctly. Let me know your domain so we can check. (Also, stop and restart your hmailserver service to be sure)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2016-03-18 00:36

One note of caution...

(I told jimimaseye about the port25 dkim certificate creator)

I have no reason to suspect port25 of anything unusual, in fact the exact opposite. They appear to be very genuine.
Their privacy policy is here >> https://www.port25.com/privacy-policy/
And it says in part
After a transaction, your private information (credit cards, social security numbers, financials, etc.) will be kept on file for more than 60 days in order to keep you updated on software enhancements..
This a very short time frame and is great.

My note of caution is that with ANY online service there is a risk that you could be giving your information to the bad guys.
This could be a problem if you ONLY used DKIM. It could mean that a website with DKIM certificate and key, could generate mail that pretends to be from you.

A solution is to use DKIM as PART of your mail security setup.
Also use SPF records that end in '-all'
Look at other security solutions as thy evolve.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
modiX
Normal user
Normal user
Posts: 41
Joined: 2016-03-06 21:21

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by modiX » 2016-03-18 18:30

jimimaseye wrote:You must have mistyped/misread/mishandled some of the data somehow and perhaps not set the dns record correctly. Let me know your domain so we can check. (Also, stop and restart your hmailserver service to be sure)
Thank you for your PM. The DNS record was not stored correctly. Now it's working and the email got "dkim=pass" in the header.

Now my question is, how can the receiver know the mail is not modified?
I mean, the Receiver server or client has to check the DKIM, but I don't believe every client/server is doing this when receiving a mail.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2016-03-18 19:54

Mail servers check the dkim signature that you have encoded in the email matches ITS results when it does the same (with your DKIM key as found in your DNS record). If the results are not identical then one of the fields used for generating the signature (which are listed in the header) must have been changed and they would get DKIM=FAIL. Then their server would score it/move it to spam folders according to their own implementation of risk handling.

Of course, no, there is no saying that all servers perform DKIM verification, but the main ones do (I would think anyone that you are sending to will support it).

Now to do your SPF. (See my PM).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2016-03-19 00:47

modiX wrote:Now my question is, how can the receiver know the mail is not modified?
DKIM shows that there have been no changes between the mailservers. Even then this rarely used for anything other spam scoring, and the user is rarely notified if the DKIM is incorrect, other than a header in a SPAM marked email.
Who reads headers anyway other than us nerds?

To show no changes since since the authoring mail client, you need to investigate Message digital signatures.
This (like Message level encryption) is handles by mail clients

Mail clients need to share public keys (in a secure way, not via another email)
Then the sending client can digitally sign AND/OR encrypt the message with their private key
The receiving client can confirm digital signatures, and de-encrypt messages using the public key

public and private keys needs to generated first, and you need to trust the authority / entity that generates the keys to properly identify the sender, and you need to trust the communication channel by which these were sent

digital signatures and DKIM alone DO NOT PREVENT THE MESSAGE FROM BEING VIEWED or copied in transit
Message encryption is the ONLY way to achieve this, even then, still perhaps not.

I am told that when security agencies at friendly nations exchange email, that they:-
- Sign with keys physically handed from one trusted agent to another
- Encrypt with a different key, physically handed between two other trusted agents
- Encrypt a VPN tunnel before doing anything
- send the encrypted message down the encrypted VPN, inside a SSL secured connection
- use each code ONLY once
- EXPECT THAT THE MESSAGE HAS BEEN COMPROMISED anyway
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

neo
New user
New user
Posts: 7
Joined: 2006-06-12 16:43

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by neo » 2017-01-05 12:16

mattg wrote:One note of caution...

(I told jimimaseye about the port25 dkim certificate creator)

I have no reason to suspect port25 of anything unusual, in fact the exact opposite. They appear to be very genuine.
Their privacy policy is here >> https://www.port25.com/privacy-policy/
And it says in part
After a transaction, your private information (credit cards, social security numbers, financials, etc.) will be kept on file for more than 60 days in order to keep you updated on software enhancements..
This a very short time frame and is great.

My note of caution is that with ANY online service there is a risk that you could be giving your information to the bad guys.
This could be a problem if you ONLY used DKIM. It could mean that a website with DKIM certificate and key, could generate mail that pretends to be from you.

A solution is to use DKIM as PART of your mail security setup.
Also use SPF records that end in '-all'
Look at other security solutions as thy evolve.
Hi,

You can generate your own RSA key (domainkey) using OpenSSL.
Download it and follow the instruction gave in:
http://www.dataenter.com/doc/general_domainkeys.htm

Sincerely,

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2017-01-05 13:26

neo wrote:
Hi,

You can generate your own RSA key (domainkey) using OpenSSL.
Download it and follow the instruction gave in:
http://www.dataenter.com/doc/general_domainkeys.htm

Sincerely,
Thanks Neo, thats good to know.

I have updated my tutorial to reflect this suggestion.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

wctsang
New user
New user
Posts: 4
Joined: 2017-01-17 16:19

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by wctsang » 2017-01-17 16:43

Dear Jimimaseye,

My name is WC Tsang. I live in Hong Kong. I am a very green hand to server settings. I tried very hard these few days in setting up an hmailserver with DKIM feature running on my PC at home. I followed every steps in your essay posted in March last year. However, no matter how hard I tried, I kept on receiving the following error message in the log file:

"ERROR" 2780 "2017-01-17 22:07:33.991" "Severity: 3 (Medium), Code: HM5310, Source: DKIM::SignHash_, Description: Unable to parse the private key file."
"ERROR" 2780 "2017-01-17 22:07:34.007" "Severity: 3 (Medium), Code: HM5308, Source: DKIM::Sign, Description: Failed to create siganture."
"ERROR" 2780 "2017-01-17 22:07:34.022" "Severity: 3 (Medium), Code: HM5306, Source: DKIMSigner::Sign, Description: Message signing using DKIM failed."

I don't know what has gone wrong. Would you mind giving me some hints to solve the problem ?

Best regards,
WC Tsang

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2017-01-18 00:03

I'd bet that the private key file is not accessible to the user that the hMailserver service runs under (typically local system), ie I think that your key file is not installed on a local hard drive where your hMailserver is installed.

If it is, check the file permissions for that file
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

wctsang
New user
New user
Posts: 4
Joined: 2017-01-17 16:19

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by wctsang » 2017-01-18 15:30

Dear Mattg,

Thank you for your information. I did aware of this problem. As I learned in some other essays, I put the private key file under the data directory of hmailserver:

C:\Program Files (x86)\hMailServer\Data\wctsang.online\dkim.wctsang.online.pem

If the hmailserver could access to the data directory, I thought it could access the private key in the same folder as well. However, this combination was just not working. There are five parties who have access right to the private key file:

System
Administrators
All application packages
All restricted application packages (I am not sure if this is correct as it is translated from Chinese)
Users

The first two parties have full control right while the rest have only read and execute right.

May I ask what party I need to add and what right should be assigned before the hmailserver can access my private key file. Hope that you can spend a little time to help me.

Best regards,
W.C. Tsang

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2017-01-18 23:55

What user does the hMailserver SERVICE run under?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

wctsang
New user
New user
Posts: 4
Joined: 2017-01-17 16:19

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by wctsang » 2017-01-19 14:19

Dear Mattg,

I logged in the computer by using my email address as User Name and the associated password. I gave this User a full control right to access all files under the hmailserver directory. After that, I started the hmailserver administrator and try to send an email from the mail@wctsang.online to my gmail account through the server. The same error was found in the log file as shown below:

"ERROR" 2784 "2017-01-19 20:09:23.650" "Severity: 3 (Medium), Code: HM5310, Source: DKIM::SignHash_, Description: Unable to parse the private key file."
"ERROR" 2784 "2017-01-19 20:09:23.650" "Severity: 3 (Medium), Code: HM5308, Source: DKIM::Sign, Description: Failed to create siganture."
"ERROR" 2784 "2017-01-19 20:09:23.650" "Severity: 3 (Medium), Code: HM5306, Source: DKIMSigner::Sign, Description: Message signing using DKIM failed."

Is there some other area which I need to check ?

Best regards,
W.C. Tsang

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2017-01-19 14:25

You have misunderstood Mattg's question.

What windows account does your Hmailserver SERVICE run under ("SYSTEM", "LOCAL SERVICE", ...?) Look under your system PROCESSES. That is the windows user/account that the directories need to have access to.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

wctsang
New user
New user
Posts: 4
Joined: 2017-01-17 16:19

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by wctsang » 2017-01-20 18:44

Dear Jimimaseye,

Thank you for your clarification on Mattg's question. As I mentioned before, I am a very green hand in setting a server. Sorry that I even don't understand your hints.

I checked the service list in my computer. I found the the service hMailAdmin.exe is run under the username WCT with a description of Administrator. The service hMailServer.exe is run under SYSTEM with a description of hMailServer.

I assigned a full control right to both of the users to access my private key, but the problem persists. The log file is shown below:

"DEBUG" 2864 "2017-01-21 00:00:04.834" "SMTPDeliverer - Message 94 - Connection failed: Host name: 74.125.203.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:00:04.834" "Ending session 540"
"DEBUG" 2768 "2017-01-21 00:00:04.849" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:00:04.849" "Starting external delivery process. Server: alt1.gmail-smtp-in.l.google.com (209.85.235.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:00:04.865" "Creating session 541"
"TCPIP" 2768 "2017-01-21 00:00:04.865" "Connecting to 209.85.235.27:25..."
"DEBUG" 2864 "2017-01-21 00:00:25.908" "SMTPDeliverer - Message 94 - Connection failed: Host name: 209.85.235.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:00:25.908" "Ending session 541"
"DEBUG" 2768 "2017-01-21 00:00:25.923" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:00:25.923" "Starting external delivery process. Server: alt2.gmail-smtp-in.l.google.com (74.125.69.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:00:25.939" "Creating session 542"
"TCPIP" 2768 "2017-01-21 00:00:25.939" "Connecting to 74.125.69.27:25..."
"DEBUG" 2864 "2017-01-21 00:00:46.982" "SMTPDeliverer - Message 94 - Connection failed: Host name: 74.125.69.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:00:46.982" "Ending session 542"
"DEBUG" 2768 "2017-01-21 00:00:46.997" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:00:46.997" "Starting external delivery process. Server: alt3.gmail-smtp-in.l.google.com (173.194.219.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:00:47.013" "Creating session 543"
"TCPIP" 2768 "2017-01-21 00:00:47.013" "Connecting to 173.194.219.27:25..."
"DEBUG" 2864 "2017-01-21 00:01:08.056" "SMTPDeliverer - Message 94 - Connection failed: Host name: 173.194.219.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:01:08.056" "Ending session 543"
"DEBUG" 2768 "2017-01-21 00:01:08.071" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:01:08.071" "Starting external delivery process. Server: alt4.gmail-smtp-in.l.google.com (209.85.144.26), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:01:08.087" "Creating session 544"
"TCPIP" 2768 "2017-01-21 00:01:08.087" "Connecting to 209.85.144.26:25..."
"DEBUG" 2864 "2017-01-21 00:01:29.130" "SMTPDeliverer - Message 94 - Connection failed: Host name: 209.85.144.26, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:01:29.130" "Ending session 544"
"DEBUG" 2768 "2017-01-21 00:01:29.145" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:01:29.145" "Summarizing delivery result"
"DEBUG" 2768 "2017-01-21 00:01:29.161" "Summarized delivery results"
"DEBUG" 2768 "2017-01-21 00:01:29.161" "SD::RescheduleDelivery_"
"DEBUG" 2768 "2017-01-21 00:01:29.180" "Retrieving retry options."
"DEBUG" 2768 "2017-01-21 00:01:29.182" "Starting rescheduling."
"APPLICATION" 2768 "2017-01-21 00:01:29.182" "SMTPDeliverer - Message 94: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG" 2768 "2017-01-21 00:01:29.182" "PersistentMessage::SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:01:29.198" "PersistentMessage::~SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:01:29.198" "Message rescheduled for later delivery."
"APPLICATION" 2768 "2017-01-21 00:01:29.198" "SMTPDeliverer - Message 94: Message delivery thread completed."
"DEBUG" 2912 "2017-01-21 00:04:28.594" "Creating session 545"
"TCPIP" 2912 "2017-01-21 00:04:28.607" "TCP - 209.85.214.52 connected to 192.168.0.109:25."
"DEBUG" 2912 "2017-01-21 00:04:28.613" "TCP connection started for session 539"
"SMTPD" 2912 539 "2017-01-21 00:04:28.628" "209.85.214.52" "SENT: 220 DESKTOP-67DITK8 ESMTP"
"SMTPD" 2876 539 "2017-01-21 00:04:28.807" "209.85.214.52" "RECEIVED: EHLO mail-it0-f52.google.com"
"SMTPD" 2876 539 "2017-01-21 00:04:28.823" "209.85.214.52" "SENT: 250-DESKTOP-67DITK8[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD" 2864 539 "2017-01-21 00:04:29.007" "209.85.214.52" "RECEIVED: AUTH PLAIN AG1haWxAd2N0c2FuZy5vbmxpbmUARmF0ZmF0ZG9nMjAwMyE="
"SMTPD" 2864 539 "2017-01-21 00:04:29.023" "209.85.214.52" "SENT: 235 authenticated."
"SMTPD" 2912 539 "2017-01-21 00:04:29.207" "209.85.214.52" "RECEIVED: MAIL FROM:<mail@wctsang.online> SIZE=1085"
"SMTPD" 2912 539 "2017-01-21 00:04:29.223" "209.85.214.52" "SENT: 250 OK"
"SMTPD" 2860 539 "2017-01-21 00:04:29.417" "209.85.214.52" "RECEIVED: RCPT TO:<wctsang2011@gmail.com>"
"SMTPD" 2860 539 "2017-01-21 00:04:29.434" "209.85.214.52" "SENT: 250 OK"
"SMTPD" 2864 539 "2017-01-21 00:04:29.612" "209.85.214.52" "RECEIVED: DATA"
"SMTPD" 2864 539 "2017-01-21 00:04:29.627" "209.85.214.52" "SENT: 354 OK, send."
"DEBUG" 2860 "2017-01-21 00:04:29.827" "Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG" 2724 "2017-01-21 00:04:29.827" "Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG" 2724 "2017-01-21 00:04:29.849" "Saving message: {9F027F91-CE9D-4539-9BE7-544EE5BE05A0}.eml"
"DEBUG" 2724 "2017-01-21 00:04:29.865" "Requesting SMTPDeliveryManager to start message delivery"
"SMTPD" 2724 539 "2017-01-21 00:04:29.865" "209.85.214.52" "SENT: 250 Queued (0.224 seconds)"
"DEBUG" 2748 "2017-01-21 00:04:29.881" "Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG" 2768 "2017-01-21 00:04:29.881" "Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG" 2768 "2017-01-21 00:04:29.896" "Delivering message..."
"APPLICATION" 2768 "2017-01-21 00:04:29.896" "SMTPDeliverer - Message 95: Delivering message from mail@wctsang.online to wctsang2011@gmail.com. File: C:\Program Files (x86)\hMailServer\Data\{9F027F91-CE9D-4539-9BE7-544EE5BE05A0}.eml"
"DEBUG" 2768 "2017-01-21 00:04:29.912" "Applying rules"
"DEBUG" 2768 "2017-01-21 00:04:29.912" "Performing local delivery"
"DEBUG" 2768 "2017-01-21 00:04:29.912" "Local delivery completed"
"DEBUG" 2768 "2017-01-21 00:04:29.928" "Signing message using DKIM..."
"ERROR" 2768 "2017-01-21 00:04:29.928" "Severity: 3 (Medium), Code: HM5310, Source: DKIM::SignHash_, Description: Unable to parse the private key file."
"ERROR" 2768 "2017-01-21 00:04:29.928" "Severity: 3 (Medium), Code: HM5308, Source: DKIM::Sign, Description: Failed to create siganture."
"ERROR" 2768 "2017-01-21 00:04:29.944" "Severity: 3 (Medium), Code: HM5306, Source: DKIMSigner::Sign, Description: Message signing using DKIM failed."
"TCPIP" 2768 "2017-01-21 00:04:29.950" "DNS MX lookup: gmail.com"
"TCPIP" 2768 "2017-01-21 00:04:29.997" "DNS - MX Result: 5 IP addresses were found."
"DEBUG" 2768 "2017-01-21 00:04:30.012" "Starting external delivery process. Server: gmail-smtp-in.l.google.com (74.125.203.26), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:04:30.028" "Creating session 546"
"TCPIP" 2768 "2017-01-21 00:04:30.049" "Connecting to 74.125.203.26:25..."
"SMTPD" 2912 539 "2017-01-21 00:04:30.049" "209.85.214.52" "RECEIVED: QUIT"
"SMTPD" 2912 539 "2017-01-21 00:04:30.065" "209.85.214.52" "SENT: 221 goodbye"
"DEBUG" 2864 "2017-01-21 00:04:30.065" "Ending session 539"
"DEBUG" 2864 "2017-01-21 00:04:51.103" "SMTPDeliverer - Message 95 - Connection failed: Host name: 74.125.203.26, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:04:51.103" "Ending session 546"
"DEBUG" 2768 "2017-01-21 00:04:51.123" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:04:51.124" "Starting external delivery process. Server: alt1.gmail-smtp-in.l.google.com (209.85.235.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:04:51.140" "Creating session 547"
"TCPIP" 2768 "2017-01-21 00:04:51.156" "Connecting to 209.85.235.27:25..."
"DEBUG" 2864 "2017-01-21 00:05:12.176" "SMTPDeliverer - Message 95 - Connection failed: Host name: 209.85.235.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:05:12.176" "Ending session 547"
"DEBUG" 2768 "2017-01-21 00:05:12.176" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:05:12.176" "Starting external delivery process. Server: alt2.gmail-smtp-in.l.google.com (74.125.69.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:05:12.195" "Creating session 548"
"TCPIP" 2768 "2017-01-21 00:05:12.198" "Connecting to 74.125.69.27:25..."
"DEBUG" 2864 "2017-01-21 00:05:33.216" "SMTPDeliverer - Message 95 - Connection failed: Host name: 74.125.69.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:05:33.223" "Ending session 548"
"DEBUG" 2768 "2017-01-21 00:05:33.223" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:05:33.238" "Starting external delivery process. Server: alt3.gmail-smtp-in.l.google.com (173.194.219.26), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:05:33.254" "Creating session 549"
"TCPIP" 2768 "2017-01-21 00:05:33.254" "Connecting to 173.194.219.26:25..."
"DEBUG" 2864 "2017-01-21 00:05:54.294" "SMTPDeliverer - Message 95 - Connection failed: Host name: 173.194.219.26, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:05:54.294" "Ending session 549"
"DEBUG" 2768 "2017-01-21 00:05:54.310" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:05:54.310" "Starting external delivery process. Server: alt4.gmail-smtp-in.l.google.com (209.85.144.27), Port: 25, Security: 2, User name: "
"DEBUG" 2768 "2017-01-21 00:05:54.329" "Creating session 550"
"TCPIP" 2768 "2017-01-21 00:05:54.329" "Connecting to 209.85.144.27:25..."
"DEBUG" 2864 "2017-01-21 00:06:15.351" "SMTPDeliverer - Message 95 - Connection failed: Host name: 209.85.144.27, message: 信號等待逾時。"
"DEBUG" 2864 "2017-01-21 00:06:15.351" "Ending session 550"
"DEBUG" 2768 "2017-01-21 00:06:15.367" "External delivery process completed"
"DEBUG" 2768 "2017-01-21 00:06:15.383" "Summarizing delivery result"
"DEBUG" 2768 "2017-01-21 00:06:15.383" "Summarized delivery result"
"DEBUG" 2768 "2017-01-21 00:06:15.383" "SD::RescheduleDelivery_"
"DEBUG" 2768 "2017-01-21 00:06:15.398" "Retrieving retry options."
"DEBUG" 2768 "2017-01-21 00:06:15.398" "Starting rescheduling."
"APPLICATION" 2768 "2017-01-21 00:06:15.414" "SMTPDeliverer - Message 95: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG" 2768 "2017-01-21 00:06:15.414" "PersistentMessage::SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:06:15.414" "PersistentMessage::~SetNextTryTime()"
"DEBUG" 2768 "2017-01-21 00:06:15.414" "Message rescheduled for later delivery."
"APPLICATION" 2768 "2017-01-21 00:06:15.432" "SMTPDeliverer - Message 95: Message delivery thread completed."

I appreciate if you can give me some guidance. Should it be too troublesome for you to look into the problem for me, I would understand if you stop here. I would not be too disappointed if I fail to set up the mail server. Thank you for your help and Mattg's help.

Best regards,
W.C. Tsang

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2017-01-20 20:08

I suggest you remove the certificate setting and go through the process from the start being careful to follow it carefully. You either have the individual files incorrectly formatted, you have not set the parameters right (or you have the permissions incorrectly set ).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by Dravion » 2017-03-19 08:51

This Guide works partwise for me:

Used DNS-Server: Bind9 64-Bit on Windows 10 x64

DKIM TXT Record is valid and properly configured, see dig diag output:

C:\>dig incubator.net.projects._domainkey.incubator.net.projects TXT

; <<>> DiG 9.10.4-P2 <<>> incubator.net.projects._domainkey.incubator.net.projects TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;incubator.net.projects._domainkey.incubator.net.projects. IN TXT

;; AUTHORITY SECTION:
incubator.net.projects. 86400 IN SOA ns01.incubator.net.projects. hostmaster.incubator.net.projects. 2003080869 28800 7200 2419200 86400

;; Query time: 1 msec
;; SERVER: 194.241.203.104#53(194.241.203.104)
;; WHEN: Sun Mar 19 06:57:41 W. Europe Standard Time 2017
;; MSG SIZE rcvd: 137

But:
In Thunderbird no DKIM Headers are shown. hMailServer logs doesnt list any Error. The private key DKIM key in use is pointing to: C:\Program Files x86)\hMailServer\Data\incubator.net.projects\dkim.incubator.net.projects.pem

This is a test private key, no production domain so this private key can be published:

File: dkim.incubator.net.projects.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAmpUvH5OGlNyd4aKZSjohqfXrpgBaJq1syCmDbSZqYiUqX4nu
LiDf6bXpQmI/3/T57nf5N83c+hLCiQvalBX9dlFP02SWTR3Z3rMhXO8ctvK89qsj
FRkg/gYBWEKTttVQdi/ASeDw9ekDtuh2j2JwOoGnpxjyHlQB0WuVErS51GqZlnyE
tFlR2vu1DGTGSYXJSYaAHlhqujCC0OYCOzBNH1jt9F0HhY3GPBguj8ar1aHJxLd8
W3wCw1bvkWDgB3Jaspwy5wTnh9cbwknJmgyRqi4ms18NHXJkXfEDU+7CFWtLAGsV
Y06kE2myC3/ubWJeGfDNzp8eJFhRMiFMFsAdYwIDAQABAoIBAEqc8YbrPU2DA03S
nuzeDDuuMNUKXHlIwjYHG6HGphjDWaWNvQJU6d8z5+gb5jriUvTQweE2o4+tGGrv
5swNpS7D5qTha07DttKwYc0quRBxL9ZcGm3nmC4kleeVExlv8wto1waR5Zy8oQdb
Q0bIO+VxiYu1FcCfydTcebLyurOVFIcRziJ4SJlJe+GZ23xKBbuJ0VnKivjxPyG8
kpFgAcThy3jH4oAI1xK25383giuS7GNklaFFYlHZnmfXIDULYn/UMIWcLtpRyWlm
n+yA+mvWHnzQSJkl6V9G741qJTG0Q2DFt1HCgsczy3mYLKEKvap21WQVn/8dIvMV
f1ZzC4ECgYEAyg99FGQfAsRgN0F39NA3T8tOiGaskm/8VHW1C1p/Atvsgp4Z8XRC
2aa4lvDGcklFodrOCV/w2FL3eukIHTY/fhla/xaGCMLoltG7eXQdSbfKbEuKSfIV
gy8z5fVXkNmAHuF1h2RXiIN2sihYFl5FxW7DOweWNu7ZMPHbhu57nCMCgYEAw9kj
HkhLHf4gPppxcU5F3yqn5nd87sixWAzvpyO+tPGZwJs1vzll3UBPXU2kziPIrDqK
dJxETOFM7d45cQFrQZIq/BrpUb92wYNLZijbY7b74vm0uDdgYz+uvkatxC9B/cwg
5BVeF6wG0kwfTeN/HNCHyP3tnyLwTbDAPk6h7cECgYB1nCJPth8euzLNtrudsXwg
Y9PoLOsRqUET4Bdq7lezUFMPi/rJwcQPb61NngPEDcYL+ZGnf0Juh4wo7G6eoi6+
tP90LqYBf4FmF9mpTd6mQ+X8ttNdSx0eaGEq3m0DkLW0Q8Lm9Y7FlM+Hz1fGXUT7
MAdO2pGik8+zX3NJzJICRQKBgQCvlMTySjfmDMXVulrIDTeBKtnaOfeskArGeNqG
SvqXeB6y2bOm24uifxxn9ssw8E3hcp5cixiEoFx6yQdQc8g3whZ9bJcO7gtG1DHN
xgVicVODmwDVQvhMInTEK9NvljqgkdhPA4UWzehTs2FBUBrOt3l0zYqyZ/1ueW7w
rUhpQQKBgQCIQRQQUBfbpIJ7a6nza8+Pygojq+BPZJXgHcH4CjhkNnmeXDLRSEao
qWojUMwgOHTe4GmCSwxsPkp2hygDSUPBWJ79oCZoIvSxaUtul6BDY/EfXIvYEVCp
unFN4ENy2tFcelPyFmenfymSQ7yMn26jMpdCmtVvmQQdmPBIojNsdQ==
-----END RSA PRIVATE KEY-----

Strange..
If i check it against my postfix smtp server it looks a bit diffrent in tb
Return-Path: <dravion@ht-foss.net>
X-Original-To: dravion@ht-foss.net
Delivered-To: dravion@ht-foss.net
Received: from [194.241.x.x] (ipservice-x-x-x-x.x.x.pools.vodafone-ip.de [92.x.x.x])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by mail.ht-foss.net (Postfix) with ESMTPSA id E12095FBC1
for <dravion@ht-foss.net>; Sun, 19 Mar 2017 07:48:27 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ht-foss.net E12095FBC1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ht-foss.net;
s=default; t=1489906107;
bh=d7CQacLKD150owFlBotSe5qZaRCEb86xnQ+sdzOnRBI=;
h=Reply-To:To:From:Subject:Date:From;
b=exNQCbkU1dTQgI4amaeX/6kbTHWv6bJi+lX/1bMQWltOkDd3II5pDV4M/1ILis+Ux
F46KMV/bDUGa//PU919/G6B473zTcaczZw6FqPhKQi1roYf/o/Dwi9cqxZpKruYScP
F5am4E/+Zp0CMN1H4rUVDOnTbjJq1vmxnfyr1kog=
Reply-To: dravion@ht-foss.net
To: "dravion@ht-foss.net" <dravion@ht-foss.net>
From: "dravion@ht-foss.net" <dravion@ht-foss.net>
Subject: DKIM-Production Server (Postfix) TestSubject
Organization: dravion@ht-foss.net
Message-ID: <ffeefc41-9000-c376-ae28-ceaa6716f609@ht-foss.net>
Date: Sun, 19 Mar 2017 07:48:23 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-EsetId: 37303A29335C9C6A627366

DKIM-Production Server (Postfix) TestBody

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2017-03-19 12:08

Dravion wrote: ; <<>> DiG 9.10.4-P2 <<>> incubator.net.projects._domainkey.incubator.net.projects TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;incubator.net.projects._domainkey.incubator.net.projects. IN TXT

;; AUTHORITY SECTION:
incubator.net.projects. 86400 IN SOA ns01.incubator.net.projects. hostmaster.incubator.net.projects. 2003080869 28800 7200 2419200 86400

;; Query time: 1 msec
;; SERVER: 194.241.203.104#53(194.241.203.104)
;; WHEN: Sun Mar 19 06:57:41 W. Europe Standard Time 2017
;; MSG SIZE rcvd: 137
So where is the output showing the DKIM record? (It says " ANSWER: 0".) It should show the record :

eg
"v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUujv4GC5tQ65WcHAdeOY2PdSL7mrRUdvV7r0xWmbltLvVXeSU7WQvIwDhJO8YkJkY1HhVkAeAX6XMhf3UQVvO1Sbq46fyvKgjXXyb+qQ+b622k3ijwhJ7Lj478xk8cXShky3Gs7dopul+IG7ap+OAzdot/rFVIjkzby1osPLLvQIDAQAB"

Did you note the warning in Step 2?
Important Note: if you are using/administering a BIND dns server then the semicolons (';') need to be 'escaped' with a backslash and entered as '\;'
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by Dravion » 2017-03-19 12:15

Of cause.

If you use a wrong quotation in bind it simply doesnt load the entire zone file.
The DKIM PublicKey TXT entry can be accessed via DIG and HOST query (see above)

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2017-03-19 12:27

Dravion wrote: The DKIM PublicKey TXT entry can be accessed via DIG and HOST query (see above)
When I use google's DIG to view my record in shows as:

id 29855
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
dkim._domainkey.mydomain.co.uk. IN TXT
;ANSWER
dkim._domainkey.mydomain.com. 299 IN TXT "v=DKIM1; t=s; k=rsa; p=PQGMA0GCSqGSIb3DQEBAQUAA4FGHYCBiQKBgQDUujv4GC5tQ65WcHAdeOY2PdSL7mrRUdvV7r0xWmbltLvVXeSU7WQvIwDhJO8YkJkY1HhVkAeAX6XMhf3UQVvO1DFq46fyvKgjXXyb+qQ+b622k3ijwhJ7Lj478xk8cXShky3Gs7dopul+IG7ap+OAzdot/rFVIjkzby1osPLLvQIDAQAB"
;AUTHORITY
;ADDITIONAL
That looks a different output to yours (I cant see your Dkim record output as the answer).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

stan2020
New user
New user
Posts: 3
Joined: 2017-06-11 19:20

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by stan2020 » 2017-06-18 21:52

The tutorial works great, but you have to be careful with copy-and-pasting the public key into the TXT record.

When I pasted my public key from port25.com into a new TXT field, some extra spaces were added in the key. The extra spaces were added where there was a new line in the public key, however there should be no spaces and all of the public key should be on 1 line. I am using Namecheap.

You can test if your DKIM record is set - here: https://mxtoolbox.com/dkim.aspx and here https://www.mail-tester.com

ucevista
New user
New user
Posts: 10
Joined: 2018-02-03 12:23

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by ucevista » 2018-02-08 11:18

Hi friends.

I followed tis tutorial for two domains, one for testing and one for production, and all was fine except qhen I tried to validate el DKIM at dkimvalidator.com, always the probles was "no public key" but it was ok when I search for it with dnswatch.info. What was happening? Me! I have not interpreted so well this line of this guide:

key: dkim._domainkey.YOURDOMAIN.COM

Value: v=DKIM1; t=s; k=rsa; p=The_Long_String_Of_Text_From_Your_Clipboard_Above
(ensure the single spaces between parameters are included)

I made the dns record with ky1 as key (instead dkim as suggested) and I wrote:

key: dkim._ke1.YOURDOMAIN.COM

and that's incorrect. The word "domainkey" has to be as is in the DNS record. The only thing you have to change and it must match with the selector you have used at port25.com and at the text field "selector" of DKIM configuration of HMS is the first one of the line, the one I marked in bold before (in this case, dkim).

I post this for information and help for someone that may have the same problem as me.

Thanks a lot for this tutorial, is great!!!

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2018-02-08 11:38

My instructions reflect what is required - no 'alternative' rework of instructions or explanation is required. (You have effectively said the same thing after initially doing something wrong and then correcting yourself.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by Luket » 2018-04-20 22:46

Thanks a lot. Cristal clear !

andrew.concord
New user
New user
Posts: 2
Joined: 2019-07-31 06:13

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by andrew.concord » 2019-07-31 06:26

Hi,

I use hMailServer to send mail.
The email is prepared by another windows application, this app then sends it to the local ip address where i have hMailserver installed and hMailserver actually sends it out (not relaying to another smtp server, it sends it).

This works perfectly.

I added a DKIM signature as per the instructions (e.g. for myactualdomain.com) then sent a test to mail.tester.com, it worked perfectly, my mail score increased :-).

However, I later realised that any mail to someone@myactualdomain.com was no longer being sent, hMailserver was rejecting it with a 550 Unknown user, I tried adding an account under the domain tab for someone@myactualdomain.com, but that appears to have stopped the mail going out, it looks to be storing locally in hMailserver now.

I don't want hMailserver receiving mail for ...@myactualdomain.com I want all mail sent out to the recipient, can I have all sent mail DKIM signed?
If so, how?

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2019-07-31 08:42

Add an SMTP route for 'myactualdomain.com' pointing to the externally server that actually hosts that domain
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

andrew.concord
New user
New user
Posts: 2
Joined: 2019-07-31 06:13

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by andrew.concord » 2019-08-01 01:10

Perfect, thanks!

glue
New user
New user
Posts: 25
Joined: 2019-05-01 10:17

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by glue » 2019-08-14 05:24

Thanks, really easy to setup and get running

just a questing bout the txt record why have t=s
is that just a for testing and should be removed of should i leave it with it

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2019-08-14 05:53

I think that the t=s is required when you are NOT testing, and that it stipulates that a sub-domain won't have the same DKIM key

http://dkim.org/specs/rfc4871-dkimbase.html
3.6.1 & 7.8

I think that says that t=y would indicate testing

Mine passes all validation tests etc with t=s
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

glue
New user
New user
Posts: 25
Joined: 2019-05-01 10:17

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by glue » 2019-08-14 06:23

oh yah, your correct thank you

mlgt
New user
New user
Posts: 1
Joined: 2020-07-11 07:40

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mlgt » 2020-07-11 07:44

This still works great guys

I've just add DKIM to my hmailserver and gmail accepted my signature OK
Had some issues and doubts but finally got the "SIGNED BY: mydoomain.com" IN ALL my emails

Thanks a lot

jtreml272
New user
New user
Posts: 1
Joined: 2020-08-08 17:47

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jtreml272 » 2020-08-08 17:49

Hi guys,

i have followed this tutorial but, I am still not able to make it work. I am getting this error. Any advise please?

Thanks you in advance

josef

Code: Select all

DKIM Information:
DKIM Signature

Message contains this DKIM Signature:


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          treml.org
s= Selector:        dkim
q= Protocol:        dns/txt
bh=                 JOUgfYHbw3QW/Gs7RHp/R5KX7j8765pioFHLSiqzdR0=
h= Signed Headers:  From:Reply-To:Subject:Date:Message-ID:To:MIME-Version:Content-Type
b= Data:            ZwsWvnpXY7UVN9jMDGuVyQzqo0rjTNjLscoph92b7rCNbK4+G+OjslMscLoN5vATPjrMfUu7VEZmqCkVwnO5CzpKnqp80jXd+2PsOUZ7017yiZW1A01HNfsBj8tO+tPNU5S3IE5wQL4T+l5tY+pfbSkdMwFTm8OUS5kQ93rWizg=
Public Key DNS Lookup

Building DNS Query for dkim._domainkey.treml.org
Retrieved this publickey from DNS: v=DKIM1; t=s; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7UVFdYXFNYnOadOfgLJHC8ozfC46Fa6guyPucgDlEqGfqWY83LbdXZYlJjpy5XVqd02qaZJo/EwsaAooSxl6MbgogAqAVfszPYd62B0ksPuJWwlg1IdqG2z5Bo+EHZbBxmSVWizdpP3EomUgktV2dArwhMhoFXV0gzbkDzhg4QIDAQAB
Validating Signature

result = invalid
Details: public key: OpenSSL error: bad base64 decode

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2020-08-08 19:32

What's that output from? Can it be trusted?

Assuming it can and is representative of the problem:
bad base64 decode
You have mistyped one of the keys - it can't be decoded.

Try again following carefully. (No one can help you with what you type - the instructions work).

But really, what other evidence do you have that your have a problem? Start a thread to discuss.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Aughen
New user
New user
Posts: 1
Joined: 2020-12-17 20:35

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by Aughen » 2020-12-17 20:40

Having an issue adding the key to GoDaddy. If I enter the Host as dkim._domainkey.aughen.com I cannot validate it at //www.dnswatch.info. If i switch the host to @ i can instantly validate the key. I am not sure if there is another DNS entry that hast to be made?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2020-12-17 20:44

Aughen wrote:
2020-12-17 20:40
Having an issue adding the key to GoDaddy. If I enter the Host as dkim._domainkey.aughen.com I cannot validate it at //www.dnswatch.info. If i switch the host to @ i can instantly validate the key. I am not sure if there is another DNS entry that hast to be made?
Someone else recently had a similar experience and said the same thing about GoDaddy - it seems they do things differently.

A GoDaddy host:

Instead of dkim._domainkey.YOURDOMAIN.COM.

Seemingly should just be

dkim._domainkey

As long as you have your solution and are now passing validation you are ready to go.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

fhuelsbeck
New user
New user
Posts: 10
Joined: 2019-08-29 22:13

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by fhuelsbeck » 2021-02-11 17:52

Hello all. I'm running hMailServer version 5.6.7-B2425. I have configured DKIM with keys signed by a public CA and the logs show email is being signed. I've parsed the entire log and there are no errors regarding the signing keys or any other errors already discussed in this thread.

"DEBUG" 2460 "2021-02-11 09:27:29.330" "Signing message using DKIM..."

However the email header shows the message is not signed.

dkim=none (message not signed)

Any assistance is greatly appreciated.

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2021-02-12 02:07

Is that at the recipeint's mail server ?

If you have a gmail account send a message to that, they show good info on DKIM signing
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

fhuelsbeck
New user
New user
Posts: 10
Joined: 2019-08-29 22:13

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by fhuelsbeck » 2021-02-12 23:07

I tested using sparkpost dkim validator and indeed the header is missing. I read a post indicating keysize 2048 failed for a different user and 1024 resolved the issue. My key is 4098, pretty standard now, and wonder if that could be the issue.

fhuelsbeck
New user
New user
Posts: 10
Joined: 2019-08-29 22:13

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by fhuelsbeck » 2021-02-13 00:45

I generated a self signed cert keysize 1024 and that also fails validation by sparkpost. All suggestions greatly appreciated.

mikedibella
Senior user
Senior user
Posts: 844
Joined: 2016-12-08 02:21

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mikedibella » 2021-02-13 01:54

fhuelsbeck wrote:
2021-02-11 17:52
I have configured DKIM with keys signed by a public CA
fhuelsbeck wrote:
2021-02-13 00:45
I generated a self signed cert keysize 1024 and that also fails validation by sparkpost. All suggestions greatly appreciated.
I'm confused by the process you are describing to generate your DKIM key-pair. I just used openssl:

Code: Select all

openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM
No X.509 operations are involved.

Can you describe your process in more detail?

M*I*B

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by M*I*B » 2021-05-03 13:38

I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?

User avatar
SorenR
Senior user
Senior user
Posts: 6402
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by SorenR » 2021-05-03 14:07

M*I*B wrote:
2021-05-03 13:38
I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?
Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

M*I*B

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by M*I*B » 2021-05-03 14:16

SorenR wrote:
2021-05-03 14:07
The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.
Thanx a lot. I had already figured that out and answered my question completely.

User avatar
SorenR
Senior user
Senior user
Posts: 6402
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by SorenR » 2021-05-03 14:22

M*I*B wrote:
2021-05-03 14:16
SorenR wrote:
2021-05-03 14:07
The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.
Thanx a lot. I had already figured that out and answered my question completely.
Sometimes you need to trust the little voice inside yourself :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

M*I*B

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by M*I*B » 2021-05-03 14:24

SorenR wrote:
2021-05-03 14:22
Sometimes you need to trust the little voice inside yourself :mrgreen:
:roll: :lol: :lol: :lol: :lol:

User avatar
Maikl
Normal user
Normal user
Posts: 39
Joined: 2008-10-04 16:58
Location: Innsbruck, Austria
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by Maikl » 2022-04-06 19:30

Thanks a lot for this how-to. Worked like a charm for me!

Michael

alfred0809
New user
New user
Posts: 1
Joined: 2022-05-23 06:12

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by alfred0809 » 2022-05-23 06:13

This Worked like a charm for me aswell ! Thanksss!!

User avatar
RvdH
Senior user
Senior user
Posts: 3550
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by RvdH » 2022-05-25 13:25

SorenR wrote:
2021-05-03 14:07
M*I*B wrote:
2021-05-03 13:38
I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?
Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.
Not sure what version he is using, but your answer contradicts your changelog, https://www.hmailserver.com/forum/viewt ... 39#p239639
eg: Added: #383 DKIM signature for domain aliases

With that setting enabled, it is possible to sign domain aliases.
The domain DNS records for the alias have to use the same DKIM DNS record as the main domain for this to work
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6402
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by SorenR » 2022-05-25 17:29

RvdH wrote:
2022-05-25 13:25
SorenR wrote:
2021-05-03 14:07
M*I*B wrote:
2021-05-03 13:38
I'f got an other question:

What's about if you drive a domain and use different names of it? I.e. you create a domain like mydomain.com and enter at the TAB "names" i.e. myotherone.com, my-other-one.com, ... ???

DKIM in the (I call it...) Masterdomain works well but it can't working if you send out an message with one of the other domain-aliases due the domain keyed in the DKIM don't match ...

Is there any hint to solve that?
Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.
Not sure what version he is using, but your answer contradicts your changelog, https://www.hmailserver.com/forum/viewt ... 39#p239639
eg: Added: #383 DKIM signature for domain aliases

With that setting enabled, it is possible to sign domain aliases.
The domain DNS records for the alias have to use the same DKIM DNS record as the main domain for this to work
https://github.com/hmailserver/hmailserver/pull/383

#386 was added about a month after I responded to M*I*B...
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3550
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by RvdH » 2022-05-25 17:39

SorenR wrote:
2022-05-25 17:29
RvdH wrote:
2022-05-25 13:25
SorenR wrote:
2021-05-03 14:07


Domains listed in the "Names" tab are aliases and are RECEIVE ONLY. You only get your DKIM record validated when SENDING and yes, if you list "From" as a different domain you will most likely break DKIM.

The only way to solve this is to create a new domain with a new set of DKIM keys and log on to that when sending.
Not sure what version he is using, but your answer contradicts your changelog, https://www.hmailserver.com/forum/viewt ... 39#p239639
eg: Added: #383 DKIM signature for domain aliases

With that setting enabled, it is possible to sign domain aliases.
The domain DNS records for the alias have to use the same DKIM DNS record as the main domain for this to work
https://github.com/hmailserver/hmailserver/pull/383

#386 was added about a month after I responded to M*I*B...
Oops :oops:
My fault, i only saw this topic got bumped and didn't pay attention to the dates
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

tmbi
New user
New user
Posts: 10
Joined: 2015-01-26 19:38

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by tmbi » 2023-06-13 18:08

Hi. This may of course be just me but I have read this thread many times and still don't understand how to implement this.
Some background information: many of my clients using my mail server have had issues sending to gmail accounts recently, and the bouncebacks suggest it is a DKIM problem. Also , I am still recovering from a very serious stroke early last year, but since then have otherwise been managing pretty well with the business . however, I simply can't seem to get my head round the various steps correctly. I tried the link that suggests I didn't have to download the OpenSSL software but that doesn't say if I have to download and actually run it on the hmail server or if it can be done elsewhere on other hardware. I tried the d.fault link and followed those instructions to successfully create the two required keys but it seems to suggest I need to create a pem file which I'm unsure how to do correctly
I fully accept and realise there will be readers who think "how thick is this bloke?" but I would love to resolve this issue before I retire later this year Thank you for reading this far and understanding that I would dearly like to successfully resolve this but fully appreciate I do now have occasional difficulties with the implementation of certain processes however this is quite important to me :?

Any help or guidance would be very much appreciated, however small.

Many thanks for taking time to read this. :)

Tosh
If you want people to learn, use small words and big letters.

User avatar
mattg
Moderator
Moderator
Posts: 22489
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by mattg » 2023-06-14 01:43

Essentially DKIM works like this

You create a txt record at your DNS that contains details of your DKIM
This will show whether you are trialing or using for real, and it will also include the public certificate

On your hMailserver machine you create a .pem file that contains the signing (private) certificate
In Hmailserver admin GUI you link that file to your domain

The private and public keys need to be a matched pair.
The instructions here are very detailed, follow them closely.

If you can't follow them yourself, then perhaps get someone near to you who can help.

These instructions can't really be changed to use smaller words, because of the technical content.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
brother.gabriel
Normal user
Normal user
Posts: 162
Joined: 2012-03-29 17:25
Location: Kansas City
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by brother.gabriel » 2024-01-24 01:03

I've set up my dkim signature using these directions, and when I send to my google address, the authentication results say,

Code: Select all

mx.google.com; dkim=temperror (no key for signature) header.i=@mydomain.com header.s=dkim header.b=kREdCnyc; spf=pass (google.com: domain of me@mydomain.com designates 1.2.3.4 as permitted sender) smtp.mailfrom=me@mydomain.com
and after that follows my dkim-signature.

Does this mean I got the NAME wrong on the DNS entry? I couldn't understand what to put there, so I put:

dkim._domainkey.mydomain.com

What ought I to put there?
my domain is: mydomain.com
and my mail server is at mail.mydomain.com

Do I put this?
mail._domainkey.mydomain.com

User avatar
jimimaseye
Moderator
Moderator
Posts: 10132
Joined: 2011-09-08 17:48

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by jimimaseye » 2024-01-24 01:16

brother.gabriel wrote:
2024-01-24 01:03
I've set up my dkim signature using these directions, and when I send to my google address, the authentication results say,

Code: Select all

mx.google.com; dkim=temperror (no key for signature) header.i=@mydomain.com header.s=dkim header.b=kREdCnyc; spf=pass (google.com: domain of me@mydomain.com designates 1.2.3.4 as permitted sender) smtp.mailfrom=me@mydomain.com
and after that follows my dkim-signature.

Does this mean I got the NAME wrong on the DNS entry? I couldn't understand what to put there, so I put:

dkim._domainkey.mydomain.com

What ought I to put there?
my domain is: mydomain.com
and my mail server is at mail.mydomain.com

Do I put this?
mail._domainkey.mydomain.com
I'm not sure I can make the instructions any clearer. To answer your question you enter the first option of dkim._domainkey.mydomain.com (based on mydomain.com being what your FROM email address is. )

If you have followed the instructions correctly then it should work. If it doesn't, go back and redo carefully.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
brother.gabriel
Normal user
Normal user
Posts: 162
Joined: 2012-03-29 17:25
Location: Kansas City
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by brother.gabriel » 2024-01-24 01:24

I swear I followed the directions.
I entered this as the NAME:

dkim._domainkey.mydomain.com

and I get the dkim=temperror (no key for signature) response in the message header authentication results.
It was the only thing I could think of I might have not understood.

User avatar
brother.gabriel
Normal user
Normal user
Posts: 162
Joined: 2012-03-29 17:25
Location: Kansas City
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by brother.gabriel » 2024-01-24 03:11

Oh, it started working! I guess I didn't wait long enough for DNS to propogate.
Funny, when I added the spf it only took about 5 minutes.
But this one took several hours.

Sorry for the bother.
It was, indeed, dkim._domainkey.mydomain.com

Now my emails enter Google's inbox instead of going to spam. :D

User avatar
RvdH
Senior user
Senior user
Posts: 3550
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by RvdH » 2024-01-24 11:23

brother.gabriel wrote:
2024-01-24 03:11
Oh, it started working! I guess I didn't wait long enough for DNS to propogate.
Funny, when I added the spf it only took about 5 minutes.
But this one took several hours.

Sorry for the bother.
It was, indeed, dkim._domainkey.mydomain.com

Now my emails enter Google's inbox instead of going to spam. :D
Maybe uses different TTL? 3600 = 1 hour (i think 3600 is pretty much the default value generaly used)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
brother.gabriel
Normal user
Normal user
Posts: 162
Joined: 2012-03-29 17:25
Location: Kansas City
Contact:

Re: HOW TO: Easy Set Up DKIM signatures on Hmailserver

Post by brother.gabriel » 2024-01-24 19:16

I figured out that the error was that the dkim key couldn't be located.
And I was confused with the DNS lookup for the TXT at https://www.dnswatch.info/dns/dnslookup
If I put the TXT record's NAME like this: dkim._domainkey.mydomain then the DSN lookup works and can find it.
But then the dkim would never be verified.

No, in fact, I had the same problem as the guy in the directions:
key: dkim._domainkey.YOURDOMAIN.COM (as it is shown in the TXT record)
Note: GoDaddy users may need a shorter version - see here for a users experience.
and that experience was:
A GoDaddy host:
Instead of dkim._domainkey.YOURDOMAIN.COM.
Seemingly should just be
dkim._domainkey
I got it working only after I tried exactly that. (and was too impatient for propagation; hence my last posting :oops: )
But you can't look that up in that DNS lookup at https://www.dnswatch.info/dns/dnslookup because no domain is supplied for the query.

My DNS provider is Windstream Hosting, if that helps anyone. I guess GoDaddy isn't the only one to work that way.
But the dkim passes for both Microsoft and Google this way.

Post Reply