Struggling with DKIM Success

S

sharkey

New Member
Dec 2, 2025
6
1
3
Hello!
I am really liking Proxmox mail gateway so far and feel it is a perfect solution for my customer. However, I cannot get past DKIM validation errors. Any suggestions you have would be very appreciated.

SETUP INFO
I have stood up a new install of Proxmox Mail Gateway 9.0.1.
I have modified the Mail Proxy > Ports so that internal smtp port is 25 and external is 26. This was done because this test setup is to be an onprem relay to the internet.
I have enabled Mail Proxy > DKIM
Enable DKIM signing = Yes
Selector = dmz2
Signing Domain Source = Envelope
Sign all outgoing mail = yes

Mail Proxy > DKIM > View DNS record shows:
dmz2._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmOukeMVAYBtV6Srf1h/SNosc4XP69LXoyF7M3E6BnVQAVYR8ma9KVAFIuASM9bxEn0XaqGOtDrnXOgepXddHWzHzp2dmvEQFZGownCE2gfZEkk3tNvxb1CZmDQ2d/5K4j1wozGCtm050t1Lgms9fN/Q2Vmo7mYktKiSn0fBEPGaYsM0vibUAJVWx2MUD7iKnmMtxOp1jkLFWU"
"WD3yVFqcRHHJZKC2sJngXi+Yjz/xmPu4pf3+zsP2zDJAEEnXpH7WuoOcqdVPL9e5Fs1MA90x4g+5ftpMWThLdjIaT5DoMq4AK4yHK2BS31LHMAmEeS8vQ3eh4ggTRuwk+RdMDwQQIDAQAB" ) ; ----- DKIM key dmz2

Externally in the public DNS, the following record exists as a TXT record
dmz2._domainkey.<mydomain>
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmOukeMVAYBtV6Srf1h/SNosc4XP69LXoyF7M3E6BnVQAVYR8ma9KVAFIuASM9bxEn0XaqGOtDrnXOgepXddHWzHzp2dmvEQFZGownCE2gfZEkk3tNvxb1CZmDQ2d/5K4j1wozGCtm050t1Lgms9fN/Q2Vmo7mYktKiSn0fBEPGaYsM0vibUAJVWx2MUD7iKnmMtxOp1jkLFWUWD3yVFqcRHHJZKC2sJngXi+Yjz/xmPu4pf3+zsP2zDJAEEnXpH7WuoOcqdVPL9e5Fs1MA90x4g+5ftpMWThLdjIaT5DoMq4AK4yHK2BS31LHMAmEeS8vQ3eh4ggTRuwk+RdMDwQQIDAQAB

TEST INFO
- Validate DKIM DNS record using mxtoolbox.com shows success
- Generate test email by telneting to proxmox on port 25 and run ehlo, mail from, rcpt to, data
- Generating test email for validation using https://redsift.com/tools/investigate shows SPF success and DKIM failure:
"error": "bad signature",<br> "explanation": "crypto/rsa: verification error",<br> "source": 0,<br> "tag": "b"
- Sending test email to gmail and m365 shows dkim failure
- Fortigate firewall infront of the proxmox but no inspection or AV is occurring. Packet capture on each side of the firewall shows no modification.


Do you have any suggested next steps for me to try?
 
Just for clarification:
Your DNS Record should mostly only contain:

dmz2._domainkey

It must not contain:
dmz2._domainkey.<mydomain>

The domain is auto-filled in the context of the domain you are editing.

Can you send an email to yourself and copy the DKIM-Signature Header from the receiver e-mail (Thunderbird: STRG+U for sourcecode) and post it here (you can sanitize personal information)
 
Hi ivenae,

I appreciate you showing interest in this issue.

Regarding the DNS record, I posted as dmz2._domainkey.<mydomain> because that is the nslookup query required to get results once it is published to external DNS. I think we are on the same page with that.

Here is the requested DKIM-Signature from a test email. Please let me know if you want more of the header. The only sanitizing performed on the header before posting is replacing the actual email domain with <mydomain>.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
<mydomain>; h=cc:from:reply-to:subject:subject:to; s=
dmz2; bh=gmERnZSsrf87ARgEAdC62+XEC9FgnMPOm7VI6D/kDco=; b=ElXfKIZ
qF44n9HsHRFA12ARReZLW423xrlBONbASyru6/uz6NwucQoxmwxb7m7gUM1BDx5D
iq1fdLZrh3Srvjee5375SScuqTa0rvBcVScvd9Cp+dQrRCAVaPLWyizpIEAgn0my
HSQiKqlBONBt6NP7WOkGphzDJudim/kIyOR8BJu6WHtL+2N3LpCXN9QGXn3zxjsg
vf6GR+oe4XeAZx+WZ2yQO3ztR2EsA2NKh6rpxeO35b99NhbfDjyHCZ+yvxqatvgO
SjX7m8R6LUzs3+HIPVAQOF8mwM/88DoHfuxhqWlxwbqH9kNhF6o6Mc7TpM9E7/To
jy+u+KqDzq/soeQ==
 
The only thing i recognized: In your original post you've had whitespaces in your TXT Record. Can you remove them? Although i'm pretty sure they would not make any trouble, but every source i delved into had no whitespaces in the TXT record.
This is my record (without spaces and i have no hash value, works anyway)


v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2HoMjbXUN5jxdrWXjvGNjypq9XlCgvL6lpACflNqwFBI+h/Ek16uRszmWDiEAZFqJqPa+MKMpsPP/kZj7dc2e1gNdDZj0oQ42gSBZ3ZK1SeRn7CGIYYjWjGTZ3Mj78VcuYpB0uxscR0HAQjMCggeHZX57ZLXIxT7D8Lc4m36X0oZdIbsvOvirMJUw9PXBCQYYCV2S5505Jf7Ml8RYqPEO+yifl6QupSlhtvUaC8EMjRvpaco9yQHYOYOhriOfb2XQJOENvu2B+hW2rxjR6/0Uz1KU/3+692BDzts53oWmhTMHi6ekhwakOge5OHp0oD0ymiz6NdLrS447Y4P/Il/SwIDAQAB


Please also try if your DNS is correct configured with:

Code: 
dig TXT dmz2._domainkey.<mydomain>



; <<>> DiG 9.20.11-1ubuntu2.1-Ubuntu <<>> TXT modoboa._domainkey.<mydomain>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56347
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;modoboa._domainkey.<mydomain>. IN TXT

;; ANSWER SECTION:
modoboa._domainkey.<mydomain>. 14400 IN TXT "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvvstzirsdIWyKco5yPQGfeL1aP3lVi2wqdfUeynf5Tjd/sn0YYRoBMAKWBS6OBINN00uWqxlE/GmBXrbrjfB4XQ+7imcA52saUvnWIN4KEUE7smmXYRfh4Tmnc4yhGmCmZYgRTtH1w9CKcik4VXGyKDoTkdRf6AJ0a05ylxOKW/b51uAsrIF/ZMT0QbvCd6WxSb" "8IirU9L+hb1g9+Cf34jme7LrKXDcRBgvyVh8pwQ7NlW4O6sZZA3lOAxfk1vOZaP3nnM1ytXZFpEaA6GyrxOMeukw/63/+WJCMj4rmCuoerrTAldvNG0Q04Gymo9LrRtHDRuFIUxJp8rzcUJF1MwIDAQAB"
 
Last edited:
The white spaces are there from the DNS server but it is supported. For example, production mail server has successful DKIM published on the same external DNS server. Two DIGG below, one for the dmz2 (proxmox) and one for proofpoint (production mail) for comparison sake.
Please note that as part of testing, dmz2 response is now technically different from above as I have tried replacing/renewing the key and updating DNS accordingly. Still broken.

root@dmz:~# dig TXT dmz2._domainkey.<mydomain>

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> TXT dmz2._domainkey.<mydomain>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41047
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dmz2._domainkey.<mydomain>. IN TXT

;; ANSWER SECTION:
dmz2._domainkey.<mydomain>. 180 IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6KaqO/IUsI95opyLk/NOolP1mLSEWUikLujYsvsF43" "XyBt55wAKCWdIc5fzAIO5jxNW9Q8H7hWDXyicaDhncKZNfnzSnTKfEZpzaJItp+EAP4WTHrYHQNrrx6ezmNGpHOGFPzVdOa53IzcueXgbX05m/SfUc" "FIr6/4yTDoWBvL5/axkGLvT2KzLUB1de1vBET09iw3Y0t5dtZr8C1YvJbl/Cu4ryAf+uNjuF/RTebUhQzTjj72Ric7t6raj6z5fXuveG0yqgH/MEuH" "V4nA3+1kuTUPO6eU0b5rWJ7A6CCLfByeCTjbn6IPLXYxvTr06P7Dxmnf9GYpSJG7cPbnDqoQIDAQAB"

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Dec 09 13:04:16 PST 2025
;; MSG SIZE rcvd: 499

root@dmz:~# dig TXT proofpoint-102522._domainkey.<mydomain>

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> TXT proofpoint-10252._domainkey.<mydomain>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4752
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;proofpoint-10252._domainkey.<mydomain>. IN TXT

;; ANSWER SECTION:
proofpoint-10252._domainkey.<mydomain>. 180 IN TXT "v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvQQ9hUVa0B1vFZ8hYXm7LCfUmAtkcMEmIoZaJzJ4Ki4" "Xyo5NexinNOWy3mooEQAVIvDNKS6vSF+O/dbP9vOAa8gL4Avn4fFZvI1QEOiCcQpCYwT7TSOpnbZkonly8mOl020nid5Np" "JNgYswvhGKkxzpKBl+Ku2h2M8GI7ebUBzTbPkBUyxVZpnIvgP/q6KKKITz5F8A+bjiLOJ/AB4TRLcX5xvHhjBb/xtchXsHdn" "ZSdkIHJvXbBlmBKU3S+delVVlM3XOiYu6mcM6qwwfRvMau+hCg90a2e19wbVDcqIhNqmBWSTZuOX2Iv5vqSRZ/eTJuDBYhto2+xIUEdj5bsQIDAQAB"
 
Something I just noticed when comparing this proxmox test with production is the DKIM header from Proxmox has some white spaces in the header. s= and d= have space before the value. Any chances those white spaces are causing an issue?

PROXMOX
v=1; a=rsa-sha256; c=relaxed/relaxed; d= <mydomain>; h=cc:from:reply-to:subject:subject:to; s= dmz2;

PRODUCTION
v=1; a=rsa-sha256; c=relaxed/relaxed; d=<mydomain>; s=selector1
 
S

Thread 'DKIM fail aufgrund von Leerzeichen im DKIM Selector'

Hallo,

ich bin beim aktivieren von DKIM zufällig über diesen kuriosen Fehler gestolpert. Ich habe es schon mit der aktuellsten Version von PMG 8 und auch PMG 9 probiert, habe aber bei beiden das gleiche Problem.

Ich habe DKIM Signing in PMG aktiviert, die Config sieht wie folgt aus. Ob die Signing Domain Source auf Envelope oder Header steht und ob "Sign all Outgoing Mail" an ist oder nicht macht bei meinem Problem keinen Unterschied.
1760363896586.png

Wenn ich nun eine Test-Mail an z.B. MXToolbox schicke, bekomme ich aber einen DKIM fail. Die DKIM-Signatur ist aber definitiv im Header...
  • Like

German Forum says: A Bug in PMG 9.0
There is no fix until now.
If you have a subscription: Open a ticket
If you have no sbscription: I don't know. Maybe go back to PMG 8
 
Thank you very much for saving my sanity by pointing out this is a bug.
Maybe I am cynical but I am against paying for a subscription just to see if the paid version does not have the bug. I am definitely for paying for a subscription for a product I know will work and will be well supported for business use. My customer does plan on purchasing once successful proof of concept.

To the devs/community is there an ETA for when this will be resolved?
 
I don't know.
i just installed PMG a few weeks ago and had now the time to do the setup.
I saw your message and the DKIM was just the topic I also stucked a little bit.
I do not use the PMG for DKIM, i use Modoboa as my mailserver. Same external IP, other virtual LXC on the same vServer.

I have no subscription either because i'm also testing and this whole thing is primary just for my own setup.
I think nobody wants you to pay for this open source software, but paid customers comes first.
Either way, i think it will be fixed soon, as it seems to be an important topic.
 
Last edited:
You must log in or register to reply here.
Top Bottom