Debug – florian @it

To test the successful signing emails with the DKIM plugin or to find any faults perform the following steps:

Check amavisd

amavisd-new showkeys

shows the location of the private and public keys for all in amavis defined domains

amavisd-new showkeys example.com

shows the location of the private key and public key for the domain example.com

amavisd-new testkeys

verifies the in the DNS registered public key against the locally stored private key

amavisd-new testkeys example.com

verifies the in the DNS registered public key against the locally stored private key for the domain example.com

If the result is not “pass”, then there is either the private key not stored or the DNS entry is missing.
If you use a key-strength > 1024 bit the used nameserver must support a TXT-record-size > 255 chars. If you run your own dns with ISPConfig gestuert, you may need to adjust the database:
ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL DEFAULT '';

Check the DNS
The DNS shall be entered in the /etc/resolv.conf. If an own DNS is used, this should always be in first place, so that the own (local) DNS can be used.

The DNS record can be queried as follows:
dig default._domainkey.example.com TXT

Possible output:
;; ANSWER SECTION: default._domainkey.akxnet.de. 3600 IN TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiiD2rNAjxABGB/Hn628aw4Pxviiav83Wrwg4xeXVuZinDecI4K985oSibZt/cnORLLf7MyZTLzNBmtiFvM//XeVCYW/E9pcY8UHoWiUSd/sbucqLSWhu52KT3aeEOkX5LZdGSq7R1jOso3ID6hbp/hVbHgvM7J7xqN18vBF/3HQIDAQAB"

To query explicitly your own DNS:
dig @ns.example.com default._domainkey.example.com TXT
or
dig @127.0.0.1 default._domainkey.example.com TXT

NOTE: If no own DNS is used, it can take up to 48 hours before the changes are applied. Due to the decentralized structure, these are not necessarily immediately available.

If the query localhost / 127.0.01 does not work, the DNS is not listening on that address. To check:
netstat -nap | grep \:53

The decisive factor in Bind is listen-on in the named.conf. There are either all IPv4 addresses defined on the Bind listening to, or the entry is commented out, so that Bind respond to all IPv4. For IPv6, it is listen-on-v6 {any;};.

Test the DKIM-Key in the dns

As long as the public-key is not available using dns-queries, the signing could not be verified. Updating the dns (new key oder changed key) needs up to 48h.
With this check you can also verify the public key. If you run your own dns, ISPConfig takes care of your record. If you use external DNS you may missed something when inserting the show record.
dkimcore.org

Check signed mails

send a mail to:
check-auth2@verifier.port25.com
or
mailtest@unlocktheinbox.com

Web-Services:
www.appmaildev.com
www.brandonchecketts.com

Debug the plugin
www.faqforge.com