ยง2024-04-26

If you're encountering an issue where the DKIM key is not being assigned to outgoing mail, there are several steps you can take to debug the problem:

alexlai@h2Jammy:~$ cat /etc/opendkim.conf
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.

Syslog			yes
SyslogSuccess		yes
#LogWhy			no

# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization	relaxed/simple
#Mode			sv
#SubDomains		no
OversignHeaders		From

# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain			h2jammy.yushei.net
Selector		mail
KeyFile		        /etc/opendkim/mail.private

# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID			opendkim
UMask			007

# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket			local:/run/opendkim/opendkim.sock
#Socket			inet:8891@localhost                    <-- uncomment
#Socket			inet:8891
#Socket			local:/var/spool/postfix/opendkim/opendkim.sock

PidFile			/run/opendkim/opendkim.pid

# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts		192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile		/usr/share/dns/root.key
#Nameservers		127.0.0.1

Check Postfix Configuration: Make sure that Postfix is configured to pass outgoing mail through OpenDKIM for signing. Check the Postfix configuration files (typically located in /etc/postfix) to ensure that messages are being routed through OpenDKIM via the smtpd_milters and non_smtpd_milters parameters. Verify DKIM Key Setup: Check that the DKIM key is correctly set up for the domain in question. Ensure that the public key is published in DNS as a TXT record under the specified DKIM selector. Check Logs for Errors: Review the logs for both Postfix and OpenDKIM for any error messages or warnings that might indicate why DKIM signing is failing. Postfix logs are often found in /var/log/mail.log or /var/log/maillog, while OpenDKIM logs are typically located in /var/log/mail.log or /var/log/maillog. Test DKIM Signing Manually: Send a test email and examine the headers to see if DKIM signing is being applied. You can use tools like dig to verify that the DKIM TXT record is being correctly retrieved from DNS. Check for Common Pitfalls: Ensure that there are no common mistakes, such as typos in configuration files, incorrect file permissions on DKIM keys, or misconfigured DNS records. Restart Services: After making any configuration changes, restart both Postfix and OpenDKIM to apply the changes. Consult Documentation and Forums: If you're still unable to resolve the issue, consult the documentation for OpenDKIM, Postfix, and DKIM in general. You can also search online forums and communities for help from others who may have encountered similar issues. By systematically going through these steps, you should be able to identify and resolve the issue preventing DKIM signing from being applied to outgoing mail.