Re: [exim] DKIM key configuration for multiple domains

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Smarthost 432
CC: exim-users
Subject: Re: [exim] DKIM key configuration for multiple domains
On Mon, Jul 7, 2014 at 5:56 AM, Smarthost 432 <smarthost432@???> wrote:
> Hi,
>
> I setup DKIM for one domain and DKIM result is pass. And when I use same
> DKIM public key for my another domain, DKIM signature is attached but
> message header shows DKIM=fail.
>
> *Mydomain2.com - DKIM results*
>
> Authentication-Results: mx.google.com;
>        spf=hardfail (google.com: domain of test@??? does not
> designate SERVER-IP as permitted sender) smtp.mail=test@???;
>        dkim=fail header.i=@mydomain2.com
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=infiserver.com; s=fusion5;
>         h=Date:From:Message-Id; bh=f7kChJIPrUaTEZXIizmQd6A20Xu2MUdYf3GaZ5bir08=;

>
> How do I resolve this., can anyone let me know where and what steps need to
> take for resolving this issue?


Step 1: Make sure that the DNS record with the public key that you are
signing with actually exists:

[todd@tlyons ~]$ dig -t txt fusion5._domainkey.infiserver.com

; <<>> DiG 9.8.1-P1 <<>> -t txt fusion5._domainkey.infiserver.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34423
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;fusion5._domainkey.infiserver.com. IN    TXT


;; AUTHORITY SECTION:
infiserver.com.        10800    IN    SOA    ns1.infiserver.com.
yogendra.m.ligerhost.com. 2014070705 86400 7200 3600000 86400


;; Query time: 275 msec
;; SERVER: 192.168.100.10#53(192.168.100.10)
;; WHEN: Tue Jul 8 05:00:00 2014
;; MSG SIZE rcvd: 112

Since it does not exist, add that record, reload the zone, and then
repeat the test. You are still subject to negative cache timeout in
whatever DNS resolvers are being used by whatever mail service you are
testing with (appears to be Gmail in this case). The negative cache
time is defined in your SOA record, which as shown above, is 86400
seconds, which is 24 hours. That means it may take up to 24 hours for
Google's caching resolvers to "forget" the previous answers it got
from your DNS server and ask for the zone again. You can do a
relatively accurate check by doing a direct dig against Google's
public DNS resolvers at 8.8.8.8 and 8.8.4.4.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine