How To Configure and Validate DKIM Records on Zimbra

Posted by

DKIM is one of many tips for increase reputation of email server besides SPF records who has been explained on previous article. On this section, i will do generate DKIM on Zimbra and configure DKIM records on public DNS using cPanel.

First, login to Zimbra server via SSH and generate DKIM

su - zimbra
/opt/zimbra/libexec/zmdkimkeyutil -a -d imanudin.net -s selector

The result of above command is like below

generate-dkim-zimbra

For records key DKIM is line on () starting with “v=DKIM1…..until double quote (“). Block and copy the records and check on website : http://dkimcore.org/tools/. Paste on key record for checking and validate.

check-dkim-records

The above result still problem on double quote (“). Please remove all double quote (“) and check it again

check-dkim-records-after-remove-quote

The above picture is valid DKIM key record after remove double quote (“) on all records DKIM. Block (Ctrl+a) and copy (Ctrl+c) the valid DKIM records and insert in public DNS. In here, i am using cPanel for insert DKIM records

insert-dkim-records

result-insert-dkim-records

Please try to send email to Gmail and see the result

result-of-dkim-records

If you has been saw Signed by on Gmail, it’s mean you has been success to configure DKIM. If no, usually still waiting for propagation of DNS

The following is example configure DKIM records on GIF

configure-dkim-records

Good luck and hopefully useful 😀

71 comments

  1. hi iman,

    Thanks for this guide. But how can I Set up DKIM for multiple domains on same host?

    Thanks!

    1. Hi Ferjun,

      You only to repeat the guidance for other domain. Only change domain with other domain and the selector name should not same as previous domain

  2. Hi , Iman,
    i already setup my DKIM and check it to validator and it is pass , the question is why if i am sending from my mail server to gmail, or yahoo , they keep detect my mail as a spam? , i also check my hosting IP VPS to RATSdyna and my ip is not on the list

    and this is the log from yahoo :

    From test mail Tue Aug 11 03:42:07 2015
    X-Apparently-To: example@yahoo.co.id; Tue, 11 Aug 2015 03:42:16 +0000
    Return-Path:
    X-YahooFilteredBulk: xxx.xxx.xxx.xxx
    Received-SPF: pass (domain of example.com designates xxx.xxx.xxx.xxx as permitted sender)
    X-YMailISG: AiAc7WYWLDsTz2IomQVdC3w48ILd96e9bh_2Jl23wfi2lf7u
    I408TTKuNZ8co9zlq9kxQ1fCGyNan9JdWVhBKBABXkjtFeHXx5il1YYK6ikQ
    vSJsqLfUteGbsjz8M2Sw.vo6pQiVScASzQ8zzuYxQiGkVJMX1qQF7vzRcpz9
    21kFf_smLh164CNak.FO.D3FP9WhpZOB007PDMwcpRudTe690TQ7amo2LUx1
    dbcwkHVvnq.PjP2ZbwJu15v5rlnyQ87xzc6kwBZYGUiHclorL0Nonb1odC6i
    VDTdAdEZ_IJbDLbnKlWrcazoLj7uHI0cjp7j6YL8.cP2XTHDzpHYz4BEdcNe
    bvEGIev5HC6xi.xXdeREImSs6fyzlb65d0tmmaLgoNJnkQFwfXjkCS3hDUPc
    3HjqulLiuS3n_Fc3zFNgb1btmoEQFbKOQdR_AdyGJyQwcTkkidlfvauQ097j
    gmpvUURZkR4hhl2N8vyKm9PArAQ4dWC7mfbRZUWxoCUhdhrZrewTc1ufGmvC
    1gHnCNFhzdQt8.k_ddkW9JV9.uax64u3LkQ5PYzg0KHdgOE4SZB_iQg87tJf
    7OibPm5c3XJtSxlMol.Tp6dOq2P0bpW58mZa8LG0UDxHCYJpugEp1NIEwkpg
    t0wWhosmoQOVMkVPiUwJqMrT.6cmyLhNv_h9zf5410H6ibfz9uaZM0Rjk5tw
    TLxWWTyFcJIGH_dfTqD0PV.ho5MiJ7yBeZKLGtHAKW_aqin75q_AjmDcRFtC
    htXmubcJgPdiZ71TKFoKRS3PBhb3ZW8RxM7JTgJ5jn.NVTUtUDLOl1Fe3FlI
    iKIJi5UkBJE_4d6iFV2a9NJPE6BYVER_O12w59SVhvMx7mF34BC1Nu9kp9KJ
    a8xNTebL.GcSfwG6xuCo3pBBEHFjWjfNRlyGoEmsnY.bK4NZbhC26dDkKOAA
    ZIs3WX4NqZnmCEDYY7FHKNk3NUsDhlqTPKIrC5lyNq0TnqzU7RUMeijLh8rS
    4JKpCWUyW5Yqf_K73LmQ2kIf7a1u6Nas01u9gbf9xCKXgVQyQuHOn72cNsEY
    KyRHB.GAhJcQfmTH.CYlJi.s_z8PGettBlmmzlt0zbrYLAlrmT10CWjNRL1n
    WJWUwLBTlcS71Fullo_z6PmMe0W7P1ujdar_8Li3OkHKn8Y.Wn4vaSjMZ4Q0
    D_eAjBMiVKZD80GfO_DG87fxR4Kxegp90APpCOxubU7LuDaF2TpH7dZmOAdU
    PpjkGwjmdJJS7iGEjTdo4qB7f9JkWTNsLTWxJjE_95qI0LvnF8DsL..UZ3Tt
    iMttfGokT2xlw4LFJ9RsVmokPOIOOo2fzjuxqrD8Nn_AsN6x_5RVn3x0t0qM
    02Mnr0scIcPnvUG6vw–
    X-Originating-IP: [xxx.xxx.xxx.xxx]
    Authentication-Results: mta1208.mail.sg3.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=pass (ok)
    Received: from 127.0.0.1 (EHLO example.com) (xxx.xxx.xxx.xxx)
    by mta1208.mail.sg3.yahoo.com with SMTPS; Tue, 11 Aug 2015 03:42:14 +0000
    Received: from localhost (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id B5CF1A42E6
    for ; Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    Received: from example.com ([127.0.0.1])
    by localhost (example.com [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id 4lyY0M28IxPX for ;
    Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    Received: from localhost (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id 2D1CDA42DE
    for ; Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    DKIM-Filter: OpenDKIM Filter v2.9.2 example.com 2D1CDA42DE
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=75567458-3F82-11E5-BB87-33198994C253; t=1439264528;
    bh=v2hZ8tx91VhfLmGWNuPQd+4Hy7yi0KwHPNN2le9UwAQ=;
    h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
    b=jHK5gC63WMYctEe+oLQLZEz/3nZ6ticKaelP/q0iF2iMcd+RtSi9rYjtLBV4QGUJ4
    geJ8LxgBnYEaMX2oONZvAZ0/sWOJqIV58qzCls462YAooa9vI4PZj+9Z0aqV5aOcSd
    1IFAVC6vMRNucf1Kx4/rKCi6br5clo2qidfMIJKI=
    X-Virus-Scanned: amavisd-new at example.com
    Received: from example.com ([127.0.0.1])
    by localhost (example.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id LX8xcvRVUg9j for ;
    Tue, 11 Aug 2015 03:42:08 +0000 (UTC)
    Received: from example.com (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id DDF3DA42D9
    for ; Tue, 11 Aug 2015 03:42:07 +0000 (UTC)
    Date: Tue, 11 Aug 2015 03:42:07 +0000 (UTC)
    From: test mail
    To: example@yahoo.co.id
    Message-ID:
    Subject: Test Mail From Mail Server
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_Part_104_1482986880.1439264527638″
    X-Originating-IP: [112.78.148.76]
    X-Mailer: Zimbra 8.6.0_GA_1178 (ZimbraWebClient – FF39 (Win)/8.6.0_GA_1178)
    Thread-Topic: Test Mail From Mail Server
    Thread-Index: gX4LDdGxSGN314Gelq7lJBHrl09Qdg==
    Content-Length: 563

  3. Hi iman,

    Thank you for your reply,
    it looks like my IP is still fresh new and the reputation is still Green ,

    so it is stil waaay to go i guess , haha

    i like your website iman , it help me alot 🙂

    Thank you very much
    Regards
    Deny

  4. Hi iman,

    How to generate DKIM in a a single server setup with multi domain?

    I have successfully generated my first domain but when i tried to generate DKIM on my second domain, I’ve got an error

    Error: Failed to update LDAP: Selector selector is already in use.

    1. Hi Ferjun,

      Please using another name of selector for other domain. The selector could be custom or you can using random selector if not using -s parameter

      1. Hi Iman,

        I uses below command to generate DKIM record on my first domain.

        /opt/zimbra/libexec/zmdkimkeyutil -a -d mydomain.com -s selector

        How can I customize the above command or use a random selector to generate DKIM on other domain??
        Sorry im a newbie..
        Thanks for your help and great blog..

        1. Hi Ferjun,

          You can use domain name as selector. For example, i have domain imanudin.net and imanudin.com. I can configure DKIM for every domain like below

          /opt/zimbra/libexec/zmdkimkeyutil -a -d imanudin.net -s imanudinnet
          /opt/zimbra/libexec/zmdkimkeyutil -a -d imanudin.com -s imanudincom
          

          Selector name for every domain should be different

  5. Hello,
    When running the command as follows

    /opt/zimbra/opendkim/sbin/opendkim-testkey -d DOMAINNAME -s SELECTOR -x /opt/zimbra/conf/opendkim.conf
    opendkim-testkey: ‘SELECTOR._domainkey.DOMAINNAME’ record not found

    Do the DNS need to finish propagating ? Or Do I need to define DOMAINNAME in the DNS? For instance selector._domainkey.exmaple.com. ??

    1. Hi mas Irfan,

      Untuk multi domain, lakukan hal yang sama untuk domain lainnya. Namun untuk selector tidak bisa sama (harus beda). Jika selector domain A adalah selector, maka untuk domain B bisa diset selectorB dan seterusnya

  6. Hi iman

    I create a custom selector, when I run the command, i get the following message:

    [zimbra@carter ~]$ /opt/zimbra/opendkim/sbin/opendkim-testkey -d domain.cl -s dcarter -x /opt/zimbra/conf/opendkim.conf -vvv

    opendkim-testkey: checking key ‘dcarter._domainkey.domain.cl’
    opendkim-testkey: key missing

    Thank for your help!

    Cheers from Chile.

    1. Hi Rodrigo,

      I am never test opendkim like that formerly 🙂

      I am usually configure DKIM in public DNS direct and check with dkimcore.org 🙂

  7. Hi Imam,
    Thanks for ur guide before. But why DomainKeys check: neutral in my server and DKIM check is pass ? This is report email from auth-results@verifier.port25.com :

    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Where is the wrong setup?? 🙁

  8. Selamat pagi Pak Iman:
    Saya sudah konfig PTR, SPF, DKIM, DMARC, tpi ketika saya kirim email ke gmail dan yahoo selalu dianggap SPAM, kira2 masih kurang di konfig mananya ya?
    ini Log dari yahoo:
    X-Apparently-To: hendar_k125@yahoo.com; Tue, 01 Nov 2016 01:53:03 +0000
    Return-Path:
    X-YahooFilteredBulk: 119.XX.XXX.XXX
    Received-SPF: pass (domain of example.org designates 119.XX.XXX.XXX as permitted sender)
    X-YMailISG: zIMJEYwWLDtAKm6Yi2I6mBjaBS36OlqEVYvFtH6h9V3t6DVh
    RMjxRBjN4WTwgQv.PI1pg8ZfVc5EuXBFVOPgbXu8kll2844aiJ1jVNK29H98
    E34ZS5DY4nlao53SaAhfUQXJMSci58UfOn_F7mWFMDQYkWmh7trXD6WyTdXt
    ZKrKeeL37kGk1VZh8_gLdppBi8v9TJ7NXRtDqglYuKrokVLMeTk0H2bh7cC.
    p8X3znQ2gaFywpeEiNIeossIW9T94CMwT2sfbmuvLGsewwLyD5OM5HCsvkvl
    J_9T8mVS6Pzc.99_U7G8dKKpw5EILmjH_dyiyjIAcOgBAUVxjCVfSVLRSk7k
    p5Dkmn_IUtaxsN46lAUs1WzQpL12R3aDBLM8VtitUbOvf9cz7EZ8ZyA8642K
    zngnD0_71PuZJafrBx0IWZIi5g3yybWbws7eo3PJD4f0aQmGWV._vzhD0KsG
    38Zv8B2sp2_iRMKyTm_wG6Ql60RdVrvI9g3Ws4RFFfKSDBejayEKOv5kfdsW
    aITDjf7R7WbgOSRq257xw1W.DXvid9FYhvAymMWbqAuNa9GHvDifYsd_o903
    Wlwj5SnjVZ7owEU4o6QrUoOU0AImHz0Pnk3_ZLQAkdVEhnMIj4LaFNo27rUY
    u6TqoWz3Qj0aYZGI1CqX2GbzYJCdoUltX7erQhSX8gdqmpYYQ1hMzO5YHq0z
    lIQrgGlKIqWV1YJk3MX8uBkxwQy7cX8UXiRN5UirH948X77IXIzdxlZRefp2
    NgOBgMsLfEugjUZTxwE1ZLi5kfpJYhYhLPUWjPubWTHMEINufqPJm6JLLJZI
    HdggYSO5auBJjch_tOQFD7vsmNfCdeJtDieCvNjWznQsEtThxH043k5hgWsA
    n16oFhDl63KafHrDd7Xrdw8sxzvPZ8gwXO3C4tynMyKN4WSRkiW8qZuRfqh9
    yXFqp4JiBFc2JKfHANskiX0.4APtyIjrimL.rT4HpN7rkQDDY7wsLZp2gXcr
    TbXhAUcXHzVZzcSJQOp5ZQTrzTgBeWXSKDxwf4B.HvU5BsfD7gTRLLaefy_W
    gRMcDsBFdP2k2bcsMjM5mk8FopE5rlqgKxz7g7y5BnE6Hp1L6HEgEwqv1lKk
    thL4eZSa3EBsxtM_LrGbsgTNElzLPPJsNj372eWE70RZSRd.kdUnm_nITr39
    Br1SUDBkLhraaG3GnA5__1I63U33SR46V7gIYGiO3.a5jSyCYwgMg10.b3tS
    c5w3jITLlMAC6lALVI6MKx0x9BN7HQE5zdhsuKIJe13.zyEKRBvbLpxF4QJA
    fRdOkaXNsX8tVlIfvqUL3YTDomdw6eeuz8r2MBl0JDCAJgmgku2aPlEm8lVm
    Duqk2ci6GY8-
    X-Originating-IP: [119.XX.XXX.XXX]
    Authentication-Results: mta1171.mail.ne1.yahoo.com from=example.org; domainkeys=neutral (no sig); from=example.org; dkim=pass (ok)
    Received: from 127.0.0.1 (EHLO mail.example.org) (119.XX.XXX.XXX)
    by mta1171.mail.ne1.yahoo.com with SMTPS; Tue, 01 Nov 2016 01:53:01 +0000
    Received: from mail.example.org (localhost [127.0.0.1])
    by mail.example.org (Postfix) with ESMTPS id 3B0331000C86;
    Tue, 1 Nov 2016 08:52:36 +0700 (WIB)
    Received: from localhost (localhost [127.0.0.1])
    by mail.example.org (Postfix) with ESMTP id 17FE61000C87;
    Tue, 1 Nov 2016 08:52:36 +0700 (WIB)
    DKIM-Filter: OpenDKIM Filter v2.9.2 mail.example.org 17FE61000C87
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
    s=D675DDC4-9CC3-11E6-B70E-43829B4A31EA; t=1477965156;
    bh=fn2VwlTlM473OcbaLLi25zwY0YOgDU9iAchLeSyq5DM=;
    h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
    b=eUp6lqHklHboM3hKyoO2zSRXf8HnVce0DxqsUP8aIrPvM5STZNigqcWEtNmZfpGiK
    SsGAKejoZlrt8kaKYrggv+CLAxY2n+6TlnIkuzjZe1JLgKYi6QCf0frptjOeVD/b2p
    RN6lqbmey1FkLknBVsOKZRp/9b5Agl3Zsmj1Eud8=
    Received: from mail.example.org ([127.0.0.1])
    by localhost (mail.example.org [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id d8-vX631jqV2; Tue, 1 Nov 2016 08:52:36 +0700 (WIB)
    Received: from mail.example.org (mail.example.org [119.XX.XXX.XXX])
    by mail.example.org (Postfix) with ESMTP id EC93C1000C86;
    Tue, 1 Nov 2016 08:52:35 +0700 (WIB)
    Date: Tue, 1 Nov 2016 08:52:35 +0700 (WIB)
    From: ICT YUQBogor
    To: hendar_k125@yahoo.com
    Message-ID:
    Subject: uncheck mail server – 1 November 2016 – 08:53 AM
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_Part_939_1166280299.1477965155753″
    X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient – FF49 (Linux)/8.6.0_GA_1153)
    Thread-Topic: uncheck mail server – 1 November 2016 – 08:53 AM
    Thread-Index: 36dPBmN0wmUt4EBLL4sIYVRKqpTHMg==
    Content-Length: 504

    ——=_Part_939_1166280299.1477965155753
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit

    uncheck mail server – 1 November 2016 – 08:53 AM

    ——=_Part_939_1166280299.1477965155753
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 7bit

    uncheck mail server – 1 November 2016 – 08:53 AM
    ——=_Part_939_1166280299.1477965155753–

  9. hi iman i have problem with gmail. my domain cannot send to gmail..

    this error msg

    host gmail-smtp-in.l.google.com[74.125.68.27] said:
    550-5.7.1 [60.54.116.91 12] Our system has detected that this message
    is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
    Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
    https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for
    more information. f17si7873152plj.199 – gsmtp (in reply to end of DATA

  10. Hi specialists
    I have problem with checking DKIM Core Key Record

    “This doesn’t seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode at blib/lib/Crypt/OpenSSL/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/new_public_key.al) line 91.”

    http://prntscr.com/e3t6hs

    I did:
    1) /opt/zimbra/libexec/zmdkimkeyutil -a -d newexample.com -s newexample
    2) Checked on http://dkimcore.org/

    Please help me who can!

    1. Hi Viktor,

      I think your record is not complete when check on dkimcore.org. Please carefully when checking on dkimcore.org and make sure you have been copy all records

  11. Hi Imanudin,

    I have 2 questions.
    1- Do i need to add domain into zimbra server to generate DKIM keys? I ran /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com and it said domain doesn’t exist. I need this to be done as some server will send out mail with external domain in FROM field.

    2- If i have 2 servers, receiving mails from internal clients, How can i configure same key on both servers?

    Thank you

    1. Hi Imran Yousuf,

      1. Yes, you need add every domain on Zimbra if want generate DKIM
      2. You can copy Key from another machine. PleaSe use zmprov gd domainname to check Key on Domain

  12. I Have configure spf dkim and dmarc and i have checked the result is passed, but while sending mail to gmail and yahoo its mark as spam, how to resolve this, i have original message below :

    Delivered-To: alhafidz.ramadhan2015@gmail.com
    Received: by 10.176.23.1 with SMTP id j1csp21995uaf;
    Fri, 24 Mar 2017 04:14:30 -0700 (PDT)
    X-Received: by 10.84.217.222 with SMTP id d30mr10429139plj.33.1490354070315;
    Fri, 24 Mar 2017 04:14:30 -0700 (PDT)
    Return-Path:
    Received: from mail.lumajangkab.go.id (mail.lumajangkab.go.id. [182.253.66.204])
    by mx.google.com with ESMTPS id m17si2408502pli.193.2017.03.24.04.14.29
    for
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Fri, 24 Mar 2017 04:14:29 -0700 (PDT)
    Received-SPF: pass (google.com: domain of fendi_kurniawan@lumajangkab.go.id designates 182.253.66.204 as permitted sender) client-ip=182.253.66.204;
    Authentication-Results: mx.google.com;
    dkim=pass header.i=@lumajangkab.go.id;
    spf=pass (google.com: domain of fendi_kurniawan@lumajangkab.go.id designates 182.253.66.204 as permitted sender) smtp.mailfrom=fendi_kurniawan@lumajangkab.go.id
    Received: from localhost (localhost [127.0.0.1]) by mail.lumajangkab.go.id (Postfix) with ESMTP id 0971512E1A2A for ; Fri, 24 Mar 2017 18:14:28 +0700 (WIB)
    Received: from mail.lumajangkab.go.id ([127.0.0.1]) by localhost (mail.lumajangkab.go.id [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id oqve2V0Jg4-W for ; Fri, 24 Mar 2017 18:14:26 +0700 (WIB)
    Received: from localhost (localhost [127.0.0.1]) by mail.lumajangkab.go.id (Postfix) with ESMTP id 6BE2712E1A57 for ; Fri, 24 Mar 2017 18:14:26 +0700 (WIB)
    DKIM-Filter: OpenDKIM Filter v2.9.0 mail.lumajangkab.go.id 6BE2712E1A57
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lumajangkab.go.id; s=88C0D3D6-75FB-11E4-A8DF-35BB24C30973; t=1490354066; bh=PgiHVolGPmw/nHTyx4M03pvaWqArocVItkLijp2KXDg=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:
    Content-Transfer-Encoding; b=BQY3pAP+vLEZ24rbIgBVM4njulMorDQ/uyx558K4ijaJL0KGqMb3rFEAxjp5sCWfn
    KoRv8J8kxG0qss5wi7GUGZiqUJA8HNh6ShuwE5TwLtfB/pKY3aDmJr10dRSiuYNUOo
    rMxdSOYAcQ6gIoxlHfrhM/0mPyVwYdXxpLN1ii8Q=
    X-Virus-Scanned: amavisd-new at mail.lumajangkab.go.id
    Received: from mail.lumajangkab.go.id ([127.0.0.1]) by localhost (mail.lumajangkab.go.id [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bbywAxGXuPBg for ; Fri, 24 Mar 2017 18:14:26 +0700 (WIB)
    Received: from mail.lumajangkab.go.id (mail.lumajangkab.go.id [182.253.66.204]) by mail.lumajangkab.go.id (Postfix) with ESMTP id 43C2612E1A2A for ; Fri, 24 Mar 2017 18:14:26 +0700 (WIB)
    Date: Fri, 24 Mar 2017 18:14:26 +0700 (WIB)
    From: Fendi Kurniawan
    To: alhafidz.ramadhan2015@gmail.com
    Message-ID:
    Subject: tes lagi ya
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit
    X-Originating-IP: [117.102.66.48]
    X-Mailer: Zimbra 8.0.7_GA_6021 (ZimbraWebClient – FF52 (Win)/8.0.7_GA_6021)
    Thread-Topic: tes lagi ya
    Thread-Index: AzUDxLzhiKBYv1A1LkGMtxc7SaGwfg==

    ——————————————————-
    Warm Regards,

    1. Hi Fendi Kurniawan,

      You need waiting until your domain eligible. The new domain or formerly perform spamming into internet usually need more time to get passed and trust by another domain

  13. hi,

    I have 2 mtas and already generate DKIM keys on mta1, using this command:

    /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

    Do I need to generate the key on 2nd mta (same domain)? or
    Can I use the same generated DKIM for the 2nd mta? If yes how do I configure on the 2nd mta?

    Tq.

      1. Hi Iman,
        Thanks for replying.
        Mail outgoing from mta2 tested using dkimvalidator.com show
        no DKIM signature while mail outgoing from mta1 does have DKIM signature.

        I noticed that opendkim service is not running on mta2 and it doesn’t have opendkim.conf file.
        Should I copy opendkim.conf from mta1? How do I make opendkim service running on mta2?

        Thanks.

        1. Hi Nur,
          Please make sure opendkim service is running. You can try to enable by performing below command

          su - zimbra
          zmprov ms `zmhostname` +zimbraServiceEnabled opendkim
          zmcontrol restart
          
          1. Hi Iman,
            Really appreciate ur help. Now the 2nd MTA has DKIM signature when tested using dkimvalidator.com
            Thanks.

  14. Hi Iman,
    I need add DKIM records as your article I went http://dkimcore.org/c/keycheck i am getting error
    There is a parsing error at character 410 (‘ ‘)
    And
    This doesn’t seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode at blib/lib/Crypt/OpenSSL/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/new_public_key.al) line 91.

  15. Hello Iman,
    using your doc, we were able to generate 2048 bits DKIM keys and it worked fine, but Domain providers like Namecheap only allows 1024 bit keys, I need your help in
    1. how to convert existing 2048bit Keys to 1024 bit.
    2. how to create multiple keys for same domain uisng zmdkimkeyutil having different bits.

    Waiting a response, thanks in advance…

    1. Hi Tijo,
      You can use 2 methods :
      1. you can use -b options when generate. -b 1024 to generate become 1024 bit
      2. you can change value 2048 into 1024 on zmdkimkeyutil file

      I think you cannot have multiple keys for the same domain

  16. Hi Imam, My dkim tes is error This is not a good DKIM key record. You should fix the errors shown in red when I checked with published DKIM Core Key in dkimcore.org. I already added in cpanel. Can you suggest to me what step must be check

    1. Hi Ari,
      You should paste the key into DKIM Core Key Record and make sure all have been correct. You can see example configuration in the GIF format on the bottom article

      1. This is a valid DKIM key record, when paste the key into DKIm core key.The problem is when the valid key paste into cpanel and check published dkim core key still “DNS query failed for ‘0C23ACF2-4444……..(my selector)”thanks

  17. hello iman,
    we setup the dkim a while ago and it was working fine , but suddendly we’re having logs like this
    May 9 11:18:56 mail amavis[14202]: (14202-11) dkim: FAILED Author+Sender+MailFrom signature by d=domain, From: , a=rsa-sha256, c=relaxed/relaxed, s=BA2F693A-536C-11E8-A05B-E082684463FB, i=@domain, ORIG [127.0.0.1]:37910, invalid (public key: not available)
    when a user sends a mail internaly or extenaly we have this logs.
    we’ve updated the dkim and the logs persist. and when we remove the dkim the logs disapear.

    what we’re missing.

    thanks.

  18. Dear, I am writing to you because it already brings me a head that should be simple, but I have not yet been able to implement it, it is dkim, I know I am crashing into something simple, could you help me see where I might have the error, tell me I sent you here to do the tests, in dkim core we are ok, but when the test in my zimbra throws a record not found, I’m almost sure that the error I have in my server dns centos 6 with bind, give me A hand to know what may be happening. thank you very much. greetings from Chile.

    1. Hi Arturo Jara,

      Could you share what have been you do to getting DKIM works? so that i can help you where you should improve

  19. hai mas iman

    mau tanya bisa g signature digunakan double dari zimbra dan google apps,
    kebetulan saya mengimplementasikan zimbra dan google apps dgn domain yg sama.

    1. Hello Atmane,
      Yes, you can. You can copy all data from domain attribute (DKIMKey, DKIMPublicKey, DKIMSelector). You can view with zmprov gd command

      zmprov gd yourdomain.abc DKIMKey
      zmprov gd yourdomain.abc DKIMPublicKey
      zmprov gd yourdomain.abc DKIMSelector
      
  20. Dear Iman, I’ve followed all your steps and DKIM for incoming mails is working through OpenDKIM.

    But the problem is I get always this type of error:

    dkim: FAILED Author+Sender+MailFrom signature by d=gmail.com, From: , a=rsa-sha256, c=relaxed/relaxed, s=20161025, i=@gmail.com, invalid (public key: DNS error: no nameservers)

    I confirm I have DNS resolution from my Zimbra server.

    What could be the problem?

    Thanks a lot !!!

  21. Hi Iman,
    Thanks for this valuable blog.
    I have created the DKIM key in cpanel and validate it. But when sent an email to gmail, its now showing the “signed by” in gmail and emails are going to spam folder. Can you please help ?
    Thanks,
    Ritz

      1. Hi Iman,
        I had waited for 4 days but still the DKIM key was failed. Later I checked and found that I have configured the dnsmasq . I have added the DKIM key in dnsmasq and waited for 3-4 hours. It works.
        Thanks,
        Ritesh

  22. Salam Iman,
    I created DKIm according to your tutorial but i didnt not use ” -s selector” at the end of the command. what can i use as the selector?
    all domains are failing DKIm test.
    I have several domains on the sever. is it possible to delete the existing dkim and re set it on the server?

    thanks

    1. Hi Javid,
      If you do not use -s, the selector name will be random. You can check your selector name by -q -d yourdomain. You can also delete existing DKIM with -r -d yourdomain commands

  23. Hi Iman!
    My name is Rogério Muhate
    Your guides are so nice to follow, I have installed and configured Zimbra using them and it is running up to now since 2018.
    I am getting some issues with my DKIM, when I test it against “mail-tester.com” it gives me the message: “The message has a DKIM or DK signature, but it is not necessarily valid”, how can I improve that result?
    Otehr issue, today all my team received strange emails, it seems the sender has all our accounts and added some attachements, is there any way to make ClamaV to real-time scanning attachments in incoming mails?
    Best wishes

    1. Hi Rogerio Muhate,
      You can follow this article to configure openDKIM on your Zimbra server. Regarding attachments, please try to update the ClamAV database. Maybe the virus is new

  24. This is my generated key, cannot get a correct output from DKIM record checker. Please help

    ( “v=DKIM1; k=rsa; ”
    “p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxeGoQw6TYNSqOb+Pj2aJWnX7KAbUMs46rCcvvITgk5oE3MoA7q2DtWOhIZbM1OnvER5BsB4W/QbDAlmpdkCJl5hlEMbRdmWvls+2/M7gXdAqdEtXl31WUrBFbphxMyQMOqRpsnrR19TAx4c0XC+NO9map+F0D3pzl5YT4yCjz9RbNAvcgQ94nIkfYoR5MuLcKAfAYuVhSjDZe”
    “/ocXrE6cW9JCineij+FqIg7az3QRmJ050dklkSvmNW2D2GMxoW1mel2AGvZee9NsFnbWpjxjebU/oGfmUrwuAmtHKToxJWk8/0aY74KckJIR9KuEcuUNLboaIRcTye4j8yi4q99QIDAQAB” )

  25. Hello Iman, do you know if there is a way to increase the score of old versions of zimbra, so that those with an invalid dkim enter SPAM?
    X-Spam-Status: No, score=3.288 tagged_above=-10 required=4
    tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001,
    MISSING_HEADERS=1.021, RP_MATCHES_RCVD=-1.344, T_DKIM_INVALID=0.01]
    autolearn=no
    dkim=fail (2048-bit key) reason=”fail (body has been altered)”

Leave a Reply to gugum Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.