DKIM signatures stopped

Discussion in 'ISPConfig 3 Priority Support' started by Taleman, Mar 4, 2021.

  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I noticed today
        spf=none ( domain of [email protected] has no SPF policy when checking [email protected]
    I tested with, it said DKIM signature is there but it is invalid. Sending host uses RSPAMD.
    As far as I can see, SPF is there and is correct. does not complain about SPF. But it does say DKIM is invalid.
    I noticed the sending server, which is ISPConfig 3.2.2 multiserver setup where e-mail server is separate, does not have the files
    It may be some other domains also are missing those files, did not check properly yet. This ISPConfig setup was migrated on last Saturday to this new setup.
    In ISPConfig Panel I checked the did have DKIM enabled and the key and record there. I pressed Save, then the missing .private and .public files appeared in /var/lib/amavis/dkim on the e-mail server host.
    But mail-checker still claims the DKIM signature is invalid.
        * -0.0 SPF_PASS SPF: sender matches SPF record
        *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
        *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
        *       valid
        *  0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
    How can I check further? Should I have done something after migration tool to set up the DKIM again?
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the result?

    Perhaps DNS is propagating?
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Note that spf records do not carry from the parent domain to subdomains; you said there is an spf record, but is that a record for '' or just for ''? You can simply add an SPF record for 'posti' to fix that (it's good practice to add one for every hostname).

    DKIM is probably a related issue - ISPConfig will setup dkim signing for the domain '' but when your message goes out from '[email protected]' the domain doesn't match, so it doesn't get signed.
    Taleman and Th0m like this.

Share This Page