Articles in this section

See more

DKIM does not work: DKIM verify result: DKIM verification failed: signature verification failed

Avatar
Bato Tsydenov
Updated
Follow

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Note: This article has the reference to the issue with the fix available:

  • #PPPM-5149 "Signature verification failed for DKIM-signed mail sent from one Plesk server to another due to excessively strict DKIM canonicalization."
    Fixed in:
Please consider updating your server:

Symptoms

  • The following mail settings are turned on: Allow signing outgoing mail and Verify incoming mail in Tools & Settings > Mail Server Settings on sending and receiving mail servers.
  • Use DKIM spam protection system to sign outgoing email messages is enabled in Home > Domains > example.com > Mail Settings.
  • /var/log/maillog on receiving server contains the following error:

    CONFIG_TEXT: DKIM verify result: DKIM verification failed: signature verification failed

Cause

Product bug PPPM-5149 is created. DKIM has two canonicalization modes - simple and relaxed. c=simple/simple mode is used by default. But some servers and mail clients can make changes in e-mail headers and body such as a number or white spaces, letters case in header, spaces in the end of body string. And DKIM signature gets invalid. 

More information can be found here.

Resolution

The bug was fixed in Plesk Onyx Update 6.
Install the latest Plesk updates.

Also, for Plesk Onyx 17.0 on Debian 8.6 the following workaround can be applied:

  1. Connect to the server via SSH

  2. Download the hotfix for Plesk Onyx 17.0.17:

    # cd /root
    # wget https://support.plesk.com/hc/en-us/article_attachments/115004356765/dk_sign

  3. Backup the file /opt/psa/handlers/hooks/dk_sign:

    # cp /opt/psa/handlers/hooks/dk_sign /opt/psa/handlers/hooks/dk_sign.orig

  4. Replace the original file with the downloaded one:

    # mv -f /root/dk_sign /opt/psa/handlers/hooks/

Comments

2 comments

Sort by Date Votes
  • Avatar
    Fahd

    I follow your steps, but after install the new DK sign and enabling Use DKIM spam protection system to sign outgoing email messages in mail server setting the http://dkimvalidator.com saying that my email does not contain a DKIM Signature. Why it happened like that. does the DK sign file has a problem?

    0
    Permalink
  • Avatar
    Ivan Postnikov

    Hello @Fahd!

    Please, let me know, what Plesk version do you use and OS version?

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles