# VestaCP DKIM setup using external DNS



## thekreek (May 8, 2014)

Currently I'm trying to setup a VPS with VestaCP

*My current setup is:*

Domain name: mxweb.info

Main dns: dns.he.net

*VPS 1 (alpha.mxweb.info): *

CentOS 6.5 - 32bit

*VPS 2 (zhor.mxweb.info):*

CentOS 6.5 - 32bit

*My problem:*

The main VPS (alpha.mxweb.info) is not passing the DKIM test's and all the email I sent to hotmail ends up in the junk folder.

The bind zone file (from VestaCP) has the following settings:


$TTL 14400
@ IN SOA ns1.localhost.ltd. root.alpha.mxweb.info. (
2014050703
7200
3600
1209600
180 )

@	14400	IN	NS ns1.localhost.ltd.
@	14400	IN	NS ns2.localhost.ltd.
@	14400	IN	A 107.170.239.57
mail	14400	IN	A 107.170.239.57
www	14400	IN	A 107.170.239.57
pop	14400	IN	A 107.170.239.57
ftp	14400	IN	A 107.170.239.57
@	14400	IN	MX	10	mail.alpha.mxweb.info.
@	14400	IN	TXT "v=spf1 a mx ip4:107.170.239.57 ?all"
_domainkey	14400	IN	TXT "t=y; o=~;"
mail._domainkey	14400	IN	TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"

And my setup in he.net is the following:


NAME TYPE	TTL PRIORITY	DATA
mxweb.info SOA 86400	- ns1.he.net. hostmaster.he.net. 2014050731 10800 1800 604800 86400
mxweb.info NS 300 - ns1.he.net
mxweb.info NS 300 - ns2.he.net
mxweb.info NS 300 - ns3.he.net
mxweb.info NS 300 - ns5.he.net
mxweb.info NS 300 - ns4.he.net
alpha.mxweb.info A 300 - 107.170.239.57
mail.alpha.mxweb.info	A 300 - 107.170.239.57
mxweb.info A 300 - 23.252.115.166
alpha.mxweb.info MX 300 10 alpha.mxweb.info
alpha.mxweb.info SPF 300 - v=spf1 a mx ip4:107.170.239.57 ?all
www.alpha.mxweb.info	CNAME	300 - alpha.mxweb.info
alpha.mxweb.info TXT 300 - _domainkey IN TXT t=y;o=~;
mail._domainkey.alpha.mxweb.info	TXT	300	- "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"


Also my test from verifier.port25.com gives me this result on the DKIM test


DKIM check details:
----------------------------------------------------------
Result: permerror (key "mail._domainkey.alpha.mxweb.info" doesn't exist)
ID(s) verified: 
Canonicalized Headers:
message-id:<[email protected]>'0D''0A'
from:[email protected]'0D''0A'
date:Wed,'20'07'20'May'20'2014'20'21:39:26'20'-0700'0D''0A'
mime-version:1.0'0D''0A'
subject:'0D''0A'
to:[email protected]'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=alpha.mxweb.info;'20's=mail;'20'h=Message-ID:Fromate:MIME-Version:Subject:To;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;

Canonicalized Body:

DNS record(s):
mail._domainkey.alpha.mxweb.info. TXT (NXDOMAIN)

I already rebuild the DKIM keys to a key lenght of 1024 using the command " v-add-mail-domain-dkim %user% %domain% %key-length% " and restarting bind, without a good result.

*My objective is:*

Build a DNS cluster using both VPS and host a couple of domains I have.

Point the hosted domains to each VPS and be able to send emails without problems

Any suggestions for fixing this email issue?

P.S. sorry for the long post, I tried to post as much info as possible


----------



## sv01 (May 8, 2014)

have you try sending to gmail? I prefer testing using gmail, I often get false report from verifier.port25.com.

After changing file config did you remember to restart mail services?

edit : 

DKIM key should like this 


v=DKIM1\; k=rsa\; t=y\;p=MIGfMA0qGSIb3DQEBAQUAA4GNADCBiQKBgQCofhyElagDdZB045HXRMriBN+ZDXMma6+fccJo/50GinxwOxS5JtiHQOX73b4v8KWWhBalUrzn88Bb1CGSij97yTMHGDS7zTm/kLh5t3SlSKpskyEdlBif5qlncN7aFJLwGYnnDuPiI4kSrU1CQAB
you miss *v=DKIM1\; *


----------



## thekreek (May 8, 2014)

Hi @sv01 I added the " v=DKIM1\; " and still I get failed on the DKIM tested, already restarted exim and bind.

The answer I get is this


DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: fail (signature doesn't verify)
ID(s) verified: 
Canonicalized Headers:
message-id:<[email protected]>'0D''0A'
from:[email protected]'0D''0A'
date:Thu,'20'08'20'May'20'2014'20'21:24:56'20'-0700'0D''0A'
mime-version:1.0'0D''0A'
subject:'0D''0A'
to:[email protected]'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=alpha.mxweb.info;'20's=mail;'20'h=Message-ID:Fromate:MIME-Version:Subject:To;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;

Canonicalized Body:

DNS record(s):
mail._domainkey.alpha.mxweb.info. 179 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"

Public key used for verification: mail._domainkey.alpha.mxweb.info (1024 bits)

Any more suggestions?


----------



## jarland (May 9, 2014)

This will spit out the DKIM key DNS entry:

/usr/local/vesta/bin/v-list-mail-domain-dkim-dns

Problem is, the way it outputs it won't work in your DNS. Now I'm no DKIM expert, I'm really just now getting into it, but I edited this file on mxroute to output the exact DNS entry that a client could add to their DNS that would pass the test. Here's the code for the file:

http://sprunge.us/jbLb

After that, I coded a quick little script for the Catalyst master server so Ryan & Don could pull a DKIM key for anyone for MXroute if a ticket was opened while I wasn't around:


#!/bin/bash
# Usage: dkim domainname
user=$(ssh [email protected] "/usr/local/vesta/bin/v-search-domain-owner $1")
ssh [email protected] "/usr/local/vesta/bin/v-list-mail-domain-dkim-dns $user $1"

The result was:


[email protected]:~$ dkim jarland.me
mail._domainkey 3600 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0xV1NRp5dEcBG0f8WQBTtRHSIjwJx7Qzvh7uwD6XYGkHhQUYfzhj+0s/heNCgUaWKgaRheN8+wDrNm6VpGo/3ZUylWpEReE3GmS1ir/rbBjfNLxTBYUl9qVTo9F2iJ1n1qU2DeJaAAWGzwaqfBdVZVr1D9h6jdJVGLx3wAf+mjQIDAQAB"

Take it as you will, that's just my setup and how I overcame the problem. It's a bit more than you need but I always like to share.


----------



## nikoskip (Jul 11, 2017)

I know this is a really old post, but I had a similar problem. I installed VestaCP without the DNS server and even if I set the "DKIM Support" option, the public key wasn't being generated, so I generated it my self with:


```
# /home/admin/conf/mail/your_domain.com
openssl rsa -in dkim.pem -out dkim.public.pem -pubout -outform PEM
```

Next I used the exact content of the public key and set it up on my own DNS server.

Hope this can help someone!


----------



## ayoube ritouni (Dec 25, 2017)

Thanks a lot ' nikoskip ' it worked for me


----------

