How to configure DKIM on proxmox mail gateway ?

InGenetic

Member
Sep 8, 2020
25
1
23
50
hi all,

i have some question about how to implement DKIM on proxmox mail gateway :
1. how to creat DKIM Record for my pmg ?
i try to create DKIM on my pmg dan setup DKIM on mail proxy like below :

DKIM.PNG
and below the result from gmail :

Delivered-To: inge@gmail.com
Received: by 2002:a05:6020:5097:b0:1ff:a4f1:1568 with SMTP id h23csp1425199wdf;
Mon, 29 Aug 2022 05:56:39 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7UmyEwKTMCCM0cIfwNTFH7xQjYqn0yXQIUS3vWxtCYMbyyyXmo7dLczKQvZ9qIHp/pA+0P
X-Received: by 2002:a05:6a00:e16:b0:537:40a7:b095 with SMTP id bq22-20020a056a000e1600b0053740a7b095mr16575148pfb.64.1661777799525;
Mon, 29 Aug 2022 05:56:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661777799; cv=none;
d=google.com; s=arc-20160816;
b=DyFXlv5PCLYHkrmKSNj6PEgR5uVlbDXF0keSoRgWfcB0ClvWSXynxp1lb/KyyWHSOr
ZNyrVYg7i6isKmqseNgt46Ig6fOXvLMUY/46M/BJnoSZ4oID9sdXl5WMxb/VHiL+mPDn
ElbpVWfZHs9jKMLFx/tsjB7N4/S/4u0FzuWgjs5Qihe7XmruSlSltGlQVhGaMNe9ijoO
K64uwM1M5G4JICDLtkOqa3D62HPUOrwNC7B9xdYTit/ExNFjfc+wdsmGAEXCT4p0z+xY
kEJoe68Fm1XEqqDEp+Pop1wdZcKKghxKptWDGLrn01Ap6OGzY+mPpQGo+4B2kk6dGiSL
It9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=thread-topic:thread-index:content-transfer-encoding:mime-version
:subject:message-id:cc:to:from:date:dkim-signature:dkim-filter
:dkim-signature;
bh=XNAIlrSYrYmeLzE7BzJl+Yg62FhTf3vRln8xRduRLQs=;
b=SBnqa+Sa8O90+lVH14XWDJ2ESMcfvrzOSyHEmL143evUOMUx3g1R/GWAOnEK3I8/Y+
BPc6gCI4iGe5zEqXRpa6vxX96vo2ucsW9uCSksLUPIIHJ28dIFDSDMjOX/ti8nn4gSlR
7OJCvYR9nRAhrUQOrh90KJiakyBVAJ5cw3y6Fd38mkdilsazpdyz0jyq+DqctmtfqXft
Lqs1uBbqxUjnP5DXnEFVSgFgt/6AZOEv9AilIuhh+i7TZobc7l0vAud38mpPPmOMShRG
fO0raq1cgr7yinOSJQ8I32XXQWHZ6/R8R046g68y2xXazr6adU0gaHPFgOSb8SOZ4Ny/
Zt6w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=temperror (no key for signature) header.i=@cetakan.com header.s=antispam header.b=sfKQ1u3P;
dkim=neutral (body hash did not verify) header.i=@cetakan.com header.s=9D353812-21B4-11ED-AAD8-41CBB598DD31 header.b=weEE99G7;
spf=pass (google.com: domain of admin@cetakan.com designates PMG IP PUBLIC as permitted sender) smtp.mailfrom=admin@cetakan.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cetakan.com
Return-Path: <admin@cetakan.com>
Received: from antispam.pmg2022 (antispam.pmg2022. [PMG IP PUBLIC])
by mx.google.com with ESMTPS id v191-20020a6389c8000000b00420bdb2f5a9si8668323pgd.263.2022.08.29.05.56.37
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 29 Aug 2022 05:56:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of admin@cetakan.com designates PMG IP PUBLIC as permitted sender) client-ip=PMG IP PUBLIC;
Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=@cetakan.com header.s=antispam header.b=sfKQ1u3P;
dkim=neutral (body hash did not verify) header.i=@cetakan.com header.s=9D353812-21B4-11ED-AAD8-41CBB598DD31 header.b=weEE99G7;

spf=pass (google.com: domain of admin@cetakan.com designates PMG IP PUBLIC as permitted sender) smtp.mailfrom=admin@cetakan.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cetakan.com
Received: from antispam.pmg2022 (localhost.localdomain [127.0.0.1]) by antispam.pmg2022 (Proxmox) with ESMTP id 63B2F1CA8F; Mon, 29 Aug 2022 19:56:36 +0700 (WIB)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= cetakan.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:from:from:message-id :mime-version:reply-to:subject:subject:to:to; s=antispam; bh=XNA IlrSYrYmeLzE7BzJl+Yg62FhTf3vRln8xRduRLQs=; b=sfKQ1u3PhMr47kNth30 sKA2vQflUD7B8/NedCAr0kF/wWQEIGere7YBS/j+U/MMgzOV1DjOLJjcstx2SuOn

why my dkim=dkim=temperror (no key for signature) header & dkim=neutral (body hash did not verify) header.

2. Is that possible DKIM record my proxmox mail gateway for some domain which SMTP relay through my pmg if they don't have DKIM record for their mail server ?

please advice
 
DKIM works by publishing the public key under a subdomain as TXT record.
Select on of the fields below the "View DNS Record" button, this should enable it. Then create a new DNS record for your domain. The name should be antispam._domainkey and it needs to be a TXT record. The content is everything inside the braces.

This is, so that the receiving side can fetch the public key to verify the signature that is sent in the header of the email.

In order to aktually sign outgoing emails with this key, you need to add the domain in the bottom part of the screenshot, where it says "Sign Domains". For each domain that should be signed, you also need to create the TXT record.
 
did you publish the public key in DNS?
 
did you publish the public key in DNS?
yes , i already publish dkim key like below :

domainkey.PNG

today, my mail server receive notification from "noreply-dmarc-support@google.com" , like below :

<?xml version="1.0" encoding="UTF-8" ?>

<feedback>

<report_metadata>

<org_name>google.com</org_name>

<email>noreply-dmarc-support@google.com</email>

<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>

<report_id>9395209034374909202</report_id>

<date_range>

<begin>1661731200</begin>

<end>1661817599</end>

</date_range>

</report_metadata>

<policy_published>

<domain>cetakan.com</domain>

<adkim>r</adkim>

<aspf>r</aspf>

<p>none</p>

<sp>none</sp>

<pct>100</pct>

</policy_published>

<record>

<row>

<source_ip>PUBLIC IP PMG</source_ip>

<count>2</count>

<policy_evaluated>

<disposition>none</disposition>

<dkim>fail</dkim>

<spf>pass</spf>

</policy_evaluated>

</row>

<identifiers>

<header_from>cetakan.com</header_from>

</identifiers>

<auth_results>

<dkim>

<domain>cetakan.com</domain>

<result>fail</result>

<selector>antispam</selector>

</dkim>

<dkim>

<domain>cetakan.com</domain>

<result>fail</result>

<selector>9D353812-21B4-11ED-AAD8-41CBB598DD31</selector>

</dkim>

<spf>

<domain>cetakan.com</domain>

<result>pass</result>

</spf>

</auth_results>

</record>

</feedback>


Please advice ..

Regards,
 
the newline in the middle looks off - also for now I would recommend to lower the ttl of the record
Hi mr. Stoiko Ivanov,

Please let me know which on in the middle looks off and how it should be? Also ttl lower in what number ?

Please advice.
 
Please let me know which on in the middle looks of
the screenshot you posted of your dkim txt record has an emtpy line in the middle - this looks wrong to me
If this is indeed wrong I cannot tell you - you need to ask your dns provider how they handle this

Also ttl lower in what number ?
I would maybe start with a very low number like 600 until the wrong record is fixed - once it is working you can (and should) increase it again to 14400
 
In order to aktually sign outgoing emails with this key, you need to add the domain in the bottom part of the screenshot, where it says "Sign Domains". For each domain that should be signed, you also need to create the TXT record.
Hi mr, Stoiko Ivanov , about create txt record for domain which in "Sign Domains" it means ?
for example : my zimbra mail server under domain ex: "cetakan.com" , it's already has dkim key on it's dns domain using opendkim on zimbra mail server.

so which txt record that i have to create ?
is it my antispam.domainkey. have to add on mail server's dns domain too ? or dkim key my zimbra mail server have to add to pmg (copy paste) ? or create new one ?
i still confusing about this .
please let me know about this .

Regards,
 
But where Proxomox keeps Private Key file for DKIM ?
There should be a PrivateKey as far as know

I use DKIM signing as well.... I signed all my 14 domains and MxToolbox shows no errors...

But I still can't find localtion of DKIM PrivateKey
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!