How To Configure and Validate DKIM Records on Zimbra

Home » Zimbra » How To Configure and Validate DKIM Records on Zimbra
Zimbra 27 Comments

DKIM is one of many tips for increase reputation of email server besides SPF records who has been explained on previous article. On this section, i will do generate DKIM on Zimbra and configure DKIM records on public DNS using cPanel.

First, login to Zimbra server via SSH and generate DKIM

su - zimbra
/opt/zimbra/libexec/zmdkimkeyutil -a -d imanudin.net -s selector

The result of above command is like below

generate-dkim-zimbra

For records key DKIM is line on () starting with “v=DKIM1…..until double quote (“). Block and copy the records and check on website : http://dkimcore.org/tools/. Paste on key record for checking and validate.

check-dkim-records

The above result still problem on double quote (“). Please remove all double quote (“) and check it again

check-dkim-records-after-remove-quote

The above picture is valid DKIM key record after remove double quote (“) on all records DKIM. Block (Ctrl+a) and copy (Ctrl+c) the valid DKIM records and insert in public DNS. In here, i am using cPanel for insert DKIM records

insert-dkim-records

result-insert-dkim-records

Please try to send email to Gmail and see the result

result-of-dkim-records

If you has been saw Signed by on Gmail, it’s mean you has been success to configure DKIM. If no, usually still waiting for propagation of DNS

The following is example configure DKIM records on GIF

configure-dkim-records

Good luck and hopefully useful 😀

27 thoughts on - How To Configure and Validate DKIM Records on Zimbra

    • Hi Ferjun,

      You only to repeat the guidance for other domain. Only change domain with other domain and the selector name should not same as previous domain

  • Hi , Iman,
    i already setup my DKIM and check it to validator and it is pass , the question is why if i am sending from my mail server to gmail, or yahoo , they keep detect my mail as a spam? , i also check my hosting IP VPS to RATSdyna and my ip is not on the list

    and this is the log from yahoo :

    From test mail Tue Aug 11 03:42:07 2015
    X-Apparently-To: example@yahoo.co.id; Tue, 11 Aug 2015 03:42:16 +0000
    Return-Path:
    X-YahooFilteredBulk: xxx.xxx.xxx.xxx
    Received-SPF: pass (domain of example.com designates xxx.xxx.xxx.xxx as permitted sender)
    X-YMailISG: AiAc7WYWLDsTz2IomQVdC3w48ILd96e9bh_2Jl23wfi2lf7u
    I408TTKuNZ8co9zlq9kxQ1fCGyNan9JdWVhBKBABXkjtFeHXx5il1YYK6ikQ
    vSJsqLfUteGbsjz8M2Sw.vo6pQiVScASzQ8zzuYxQiGkVJMX1qQF7vzRcpz9
    21kFf_smLh164CNak.FO.D3FP9WhpZOB007PDMwcpRudTe690TQ7amo2LUx1
    dbcwkHVvnq.PjP2ZbwJu15v5rlnyQ87xzc6kwBZYGUiHclorL0Nonb1odC6i
    VDTdAdEZ_IJbDLbnKlWrcazoLj7uHI0cjp7j6YL8.cP2XTHDzpHYz4BEdcNe
    bvEGIev5HC6xi.xXdeREImSs6fyzlb65d0tmmaLgoNJnkQFwfXjkCS3hDUPc
    3HjqulLiuS3n_Fc3zFNgb1btmoEQFbKOQdR_AdyGJyQwcTkkidlfvauQ097j
    gmpvUURZkR4hhl2N8vyKm9PArAQ4dWC7mfbRZUWxoCUhdhrZrewTc1ufGmvC
    1gHnCNFhzdQt8.k_ddkW9JV9.uax64u3LkQ5PYzg0KHdgOE4SZB_iQg87tJf
    7OibPm5c3XJtSxlMol.Tp6dOq2P0bpW58mZa8LG0UDxHCYJpugEp1NIEwkpg
    t0wWhosmoQOVMkVPiUwJqMrT.6cmyLhNv_h9zf5410H6ibfz9uaZM0Rjk5tw
    TLxWWTyFcJIGH_dfTqD0PV.ho5MiJ7yBeZKLGtHAKW_aqin75q_AjmDcRFtC
    htXmubcJgPdiZ71TKFoKRS3PBhb3ZW8RxM7JTgJ5jn.NVTUtUDLOl1Fe3FlI
    iKIJi5UkBJE_4d6iFV2a9NJPE6BYVER_O12w59SVhvMx7mF34BC1Nu9kp9KJ
    a8xNTebL.GcSfwG6xuCo3pBBEHFjWjfNRlyGoEmsnY.bK4NZbhC26dDkKOAA
    ZIs3WX4NqZnmCEDYY7FHKNk3NUsDhlqTPKIrC5lyNq0TnqzU7RUMeijLh8rS
    4JKpCWUyW5Yqf_K73LmQ2kIf7a1u6Nas01u9gbf9xCKXgVQyQuHOn72cNsEY
    KyRHB.GAhJcQfmTH.CYlJi.s_z8PGettBlmmzlt0zbrYLAlrmT10CWjNRL1n
    WJWUwLBTlcS71Fullo_z6PmMe0W7P1ujdar_8Li3OkHKn8Y.Wn4vaSjMZ4Q0
    D_eAjBMiVKZD80GfO_DG87fxR4Kxegp90APpCOxubU7LuDaF2TpH7dZmOAdU
    PpjkGwjmdJJS7iGEjTdo4qB7f9JkWTNsLTWxJjE_95qI0LvnF8DsL..UZ3Tt
    iMttfGokT2xlw4LFJ9RsVmokPOIOOo2fzjuxqrD8Nn_AsN6x_5RVn3x0t0qM
    02Mnr0scIcPnvUG6vw–
    X-Originating-IP: [xxx.xxx.xxx.xxx]
    Authentication-Results: mta1208.mail.sg3.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=pass (ok)
    Received: from 127.0.0.1 (EHLO example.com) (xxx.xxx.xxx.xxx)
    by mta1208.mail.sg3.yahoo.com with SMTPS; Tue, 11 Aug 2015 03:42:14 +0000
    Received: from localhost (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id B5CF1A42E6
    for ; Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    Received: from example.com ([127.0.0.1])
    by localhost (example.com [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id 4lyY0M28IxPX for ;
    Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    Received: from localhost (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id 2D1CDA42DE
    for ; Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    DKIM-Filter: OpenDKIM Filter v2.9.2 example.com 2D1CDA42DE
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=75567458-3F82-11E5-BB87-33198994C253; t=1439264528;
    bh=v2hZ8tx91VhfLmGWNuPQd+4Hy7yi0KwHPNN2le9UwAQ=;
    h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
    b=jHK5gC63WMYctEe+oLQLZEz/3nZ6ticKaelP/q0iF2iMcd+RtSi9rYjtLBV4QGUJ4
    geJ8LxgBnYEaMX2oONZvAZ0/sWOJqIV58qzCls462YAooa9vI4PZj+9Z0aqV5aOcSd
    1IFAVC6vMRNucf1Kx4/rKCi6br5clo2qidfMIJKI=
    X-Virus-Scanned: amavisd-new at example.com
    Received: from example.com ([127.0.0.1])
    by localhost (example.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id LX8xcvRVUg9j for ;
    Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    Received: from example.com (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id DDF3DA42D9
    for ; Tue, 11 Aug 2015 03:42:07 +0000 (UTC)
    Date: Tue, 11 Aug 2015 03:42:07 +0000 (UTC)
    From: test mail
    To: example@yahoo.co.id
    Message-ID:
    Subject: Test Mail From Mail Server
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_Part_104_1482986880.1439264527638″
    X-Originating-IP: [112.78.148.76]
    X-Mailer: Zimbra 8.6.0_GA_1178 (ZimbraWebClient – FF39 (Win)/8.6.0_GA_1178)
    Thread-Topic: Test Mail From Mail Server
    Thread-Index: gX4LDdGxSGN314Gelq7lJBHrl09Qdg==
    Content-Length: 563

  • Hi iman,

    Thank you for your reply,
    it looks like my IP is still fresh new and the reputation is still Green ,

    so it is stil waaay to go i guess , haha

    i like your website iman , it help me alot 🙂

    Thank you very much
    Regards
    Deny

  • Hi iman,

    How to generate DKIM in a a single server setup with multi domain?

    I have successfully generated my first domain but when i tried to generate DKIM on my second domain, I’ve got an error

    Error: Failed to update LDAP: Selector selector is already in use.

    • Hi Ferjun,

      Please using another name of selector for other domain. The selector could be custom or you can using random selector if not using -s parameter

      • Hi Iman,

        I uses below command to generate DKIM record on my first domain.

        /opt/zimbra/libexec/zmdkimkeyutil -a -d mydomain.com -s selector

        How can I customize the above command or use a random selector to generate DKIM on other domain??
        Sorry im a newbie..
        Thanks for your help and great blog..

        • Hi Ferjun,

          You can use domain name as selector. For example, i have domain imanudin.net and imanudin.com. I can configure DKIM for every domain like below

          /opt/zimbra/libexec/zmdkimkeyutil -a -d imanudin.net -s imanudinnet
          /opt/zimbra/libexec/zmdkimkeyutil -a -d imanudin.com -s imanudincom
          

          Selector name for every domain should be different

  • Hello,
    When running the command as follows

    /opt/zimbra/opendkim/sbin/opendkim-testkey -d DOMAINNAME -s SELECTOR -x /opt/zimbra/conf/opendkim.conf
    opendkim-testkey: ‘SELECTOR._domainkey.DOMAINNAME’ record not found

    Do the DNS need to finish propagating ? Or Do I need to define DOMAINNAME in the DNS? For instance selector._domainkey.exmaple.com. ??

    • Hi mas Irfan,

      Untuk multi domain, lakukan hal yang sama untuk domain lainnya. Namun untuk selector tidak bisa sama (harus beda). Jika selector domain A adalah selector, maka untuk domain B bisa diset selectorB dan seterusnya

  • Hi iman

    I create a custom selector, when I run the command, i get the following message:

    [zimbra@carter ~]$ /opt/zimbra/opendkim/sbin/opendkim-testkey -d domain.cl -s dcarter -x /opt/zimbra/conf/opendkim.conf -vvv

    opendkim-testkey: checking key ‘dcarter._domainkey.domain.cl’
    opendkim-testkey: key missing

    Thank for your help!

    Cheers from Chile.

    • Hi Rodrigo,

      I am never test opendkim like that formerly 🙂

      I am usually configure DKIM in public DNS direct and check with dkimcore.org 🙂

  • Hi Imam,
    Thanks for ur guide before. But why DomainKeys check: neutral in my server and DKIM check is pass ? This is report email from auth-results@verifier.port25.com :

    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Where is the wrong setup?? 🙁

  • Selamat pagi Pak Iman:
    Saya sudah konfig PTR, SPF, DKIM, DMARC, tpi ketika saya kirim email ke gmail dan yahoo selalu dianggap SPAM, kira2 masih kurang di konfig mananya ya?
    ini Log dari yahoo:
    X-Apparently-To: hendar_k125@yahoo.com; Tue, 01 Nov 2016 01:53:03 +0000
    Return-Path:
    X-YahooFilteredBulk: 119.XX.XXX.XXX
    Received-SPF: pass (domain of example.org designates 119.XX.XXX.XXX as permitted sender)
    X-YMailISG: zIMJEYwWLDtAKm6Yi2I6mBjaBS36OlqEVYvFtH6h9V3t6DVh
    RMjxRBjN4WTwgQv.PI1pg8ZfVc5EuXBFVOPgbXu8kll2844aiJ1jVNK29H98
    E34ZS5DY4nlao53SaAhfUQXJMSci58UfOn_F7mWFMDQYkWmh7trXD6WyTdXt
    ZKrKeeL37kGk1VZh8_gLdppBi8v9TJ7NXRtDqglYuKrokVLMeTk0H2bh7cC.
    p8X3znQ2gaFywpeEiNIeossIW9T94CMwT2sfbmuvLGsewwLyD5OM5HCsvkvl
    J_9T8mVS6Pzc.99_U7G8dKKpw5EILmjH_dyiyjIAcOgBAUVxjCVfSVLRSk7k
    p5Dkmn_IUtaxsN46lAUs1WzQpL12R3aDBLM8VtitUbOvf9cz7EZ8ZyA8642K
    zngnD0_71PuZJafrBx0IWZIi5g3yybWbws7eo3PJD4f0aQmGWV._vzhD0KsG
    38Zv8B2sp2_iRMKyTm_wG6Ql60RdVrvI9g3Ws4RFFfKSDBejayEKOv5kfdsW
    aITDjf7R7WbgOSRq257xw1W.DXvid9FYhvAymMWbqAuNa9GHvDifYsd_o903
    Wlwj5SnjVZ7owEU4o6QrUoOU0AImHz0Pnk3_ZLQAkdVEhnMIj4LaFNo27rUY
    u6TqoWz3Qj0aYZGI1CqX2GbzYJCdoUltX7erQhSX8gdqmpYYQ1hMzO5YHq0z
    lIQrgGlKIqWV1YJk3MX8uBkxwQy7cX8UXiRN5UirH948X77IXIzdxlZRefp2
    NgOBgMsLfEugjUZTxwE1ZLi5kfpJYhYhLPUWjPubWTHMEINufqPJm6JLLJZI
    HdggYSO5auBJjch_tOQFD7vsmNfCdeJtDieCvNjWznQsEtThxH043k5hgWsA
    n16oFhDl63KafHrDd7Xrdw8sxzvPZ8gwXO3C4tynMyKN4WSRkiW8qZuRfqh9
    yXFqp4JiBFc2JKfHANskiX0.4APtyIjrimL.rT4HpN7rkQDDY7wsLZp2gXcr
    TbXhAUcXHzVZzcSJQOp5ZQTrzTgBeWXSKDxwf4B.HvU5BsfD7gTRLLaefy_W
    gRMcDsBFdP2k2bcsMjM5mk8FopE5rlqgKxz7g7y5BnE6Hp1L6HEgEwqv1lKk
    thL4eZSa3EBsxtM_LrGbsgTNElzLPPJsNj372eWE70RZSRd.kdUnm_nITr39
    Br1SUDBkLhraaG3GnA5__1I63U33SR46V7gIYGiO3.a5jSyCYwgMg10.b3tS
    c5w3jITLlMAC6lALVI6MKx0x9BN7HQE5zdhsuKIJe13.zyEKRBvbLpxF4QJA
    fRdOkaXNsX8tVlIfvqUL3YTDomdw6eeuz8r2MBl0JDCAJgmgku2aPlEm8lVm
    Duqk2ci6GY8-
    X-Originating-IP: [119.XX.XXX.XXX]
    Authentication-Results: mta1171.mail.ne1.yahoo.com from=example.org; domainkeys=neutral (no sig); from=example.org; dkim=pass (ok)
    Received: from 127.0.0.1 (EHLO mail.example.org) (119.XX.XXX.XXX)
    by mta1171.mail.ne1.yahoo.com with SMTPS; Tue, 01 Nov 2016 01:53:01 +0000
    Received: from mail.example.org (localhost [127.0.0.1])
    by mail.example.org (Postfix) with ESMTPS id 3B0331000C86;
    Tue, 1 Nov 2016 08:52:36 +0700 (WIB)
    Received: from localhost (localhost [127.0.0.1])
    by mail.example.org (Postfix) with ESMTP id 17FE61000C87;
    Tue, 1 Nov 2016 08:52:36 +0700 (WIB)
    DKIM-Filter: OpenDKIM Filter v2.9.2 mail.example.org 17FE61000C87
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
    s=D675DDC4-9CC3-11E6-B70E-43829B4A31EA; t=1477965156;
    bh=fn2VwlTlM473OcbaLLi25zwY0YOgDU9iAchLeSyq5DM=;
    h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
    b=eUp6lqHklHboM3hKyoO2zSRXf8HnVce0DxqsUP8aIrPvM5STZNigqcWEtNmZfpGiK
    SsGAKejoZlrt8kaKYrggv+CLAxY2n+6TlnIkuzjZe1JLgKYi6QCf0frptjOeVD/b2p
    RN6lqbmey1FkLknBVsOKZRp/9b5Agl3Zsmj1Eud8=
    Received: from mail.example.org ([127.0.0.1])
    by localhost (mail.example.org [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id d8-vX631jqV2; Tue, 1 Nov 2016 08:52:36 +0700 (WIB)
    Received: from mail.example.org (mail.example.org [119.XX.XXX.XXX])
    by mail.example.org (Postfix) with ESMTP id EC93C1000C86;
    Tue, 1 Nov 2016 08:52:35 +0700 (WIB)
    Date: Tue, 1 Nov 2016 08:52:35 +0700 (WIB)
    From: ICT YUQBogor
    To: hendar_k125@yahoo.com
    Message-ID:
    Subject: uncheck mail server – 1 November 2016 – 08:53 AM
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_Part_939_1166280299.1477965155753″
    X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient – FF49 (Linux)/8.6.0_GA_1153)
    Thread-Topic: uncheck mail server – 1 November 2016 – 08:53 AM
    Thread-Index: 36dPBmN0wmUt4EBLL4sIYVRKqpTHMg==
    Content-Length: 504

    ——=_Part_939_1166280299.1477965155753
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit

    uncheck mail server – 1 November 2016 – 08:53 AM

    ——=_Part_939_1166280299.1477965155753
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 7bit

    uncheck mail server – 1 November 2016 – 08:53 AM
    ——=_Part_939_1166280299.1477965155753–

  • hi iman i have problem with gmail. my domain cannot send to gmail..

    this error msg

    host gmail-smtp-in.l.google.com[74.125.68.27] said:
    550-5.7.1 [60.54.116.91 12] Our system has detected that this message
    is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
    Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
    https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for
    more information. f17si7873152plj.199 – gsmtp (in reply to end of DATA

LEAVE A COMMENT