Articles in this section

See more

DKIM does not work: DKIM verify result: DKIM verification failed: signature verification failed

Avatar
Maxim Krasikov
Updated
Follow

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Note: This article has the reference to the issue with the fix available:

Please consider updating your server:

Symptoms

  • The following mail settings are turned on: Allow signing outgoing mail and Verify incoming mail in Tools & Settings > Mail Server Settings on sending and receiving mail servers.
  • Use DKIM spam protection system to sign outgoing email messages is enabled in Home > Domains > example.com > Mail Settings.
  • /var/log/maillog on receiving server contains the following error:

    CONFIG_TEXT: DKIM verify result: DKIM verification failed: signature verification failed

Cause

Product bug PPPM-5149 is created. DKIM has two canonicalization modes - simple and relaxed. c=simple/simple mode is used by default. But some servers and mail clients can make changes in e-mail headers and body such as a number or white spaces, letters case in header, spaces in the end of body string. And DKIM signature gets invalid. 

More information can be found here.

Resolution

The bug was fixed in Plesk Onyx Update 6.
Install the latest Plesk updates.

Also, for Plesk Onyx 17.0 on Debian 8.6 the following workaround can be applied:

  1. Connect to the server via SSH

  2. Download the hotfix for Plesk Onyx 17.0.17:

    # cd /root
    # wget https://support.plesk.com/hc/en-us/article_attachments/115004356765/dk_sign

  3. Backup the file /opt/psa/handlers/hooks/dk_sign:

    # cp /opt/psa/handlers/hooks/dk_sign /opt/psa/handlers/hooks/dk_sign.orig

  4. Replace the original file with the downloaded one:

    # mv -f /root/dk_sign /opt/psa/handlers/hooks/

Additional information

Plesk DKIM check fails for incoming message sent from subdomain: DKIM verify result: signature verification failed

Comments

10 comments

Sort by Date Votes
  • Avatar
    Fahd

    I follow your steps, but after install the new DK sign and enabling Use DKIM spam protection system to sign outgoing email messages in mail server setting the http://dkimvalidator.com saying that my email does not contain a DKIM Signature. Why it happened like that. does the DK sign file has a problem?

    0
    Permalink
  • Avatar
    Ivan Postnikov

    Hello @Fahd!

    Please, let me know, what Plesk version do you use and OS version?

    0
    Permalink
  • Avatar
    Jan van Leeuwen

    Hi,

    I have Plesk 17.8.11 on Ubuntu 14.04.

    Will this help to cure "DKIM-signature verification failed"?

    Regards,

    Jan

     

    0
    Permalink
  • Avatar
    Anton Maslov

    Hello Jan,

    That particular problem does not exist in 17.8, it was fixed in 17.0, however, the error itself is general and the reason might be in something else.

    I recommend to review /var/log/maillog for more details and try to search with additional symptoms.

    0
    Permalink
  • Avatar
    Jan van Leeuwen

    Hi

    the errors shown are

    db_check[12345]: DKIM verify result: DKIM Feed: No signature

    plesk sendmail[12345]: Canonname is not correct fqdn

    plesk sendmail[12345]: It is impossible to detect the FQDN of the host. Please make sure that the hostname is correctly specified in /etc/hosts and goes right after the host's IP address. Depending on your OS, you might need to set the host in /etc/HOSTNAME or /etc/hostname.

     

    there seems to be a problem with  etc/hosts and etc/hostname

    ----

    etc/hosts

    127.0.0.1 localhost.localdomain localhost
    127.0.0.1 rs123456
    # The following lines are desirable fpr IPv6 capable hosts
    ::1 localhost.localdomain localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::1 ip6-allrouters
    37.999.999.123 server.mydomainname.domains server

    ---

    hostname

    rs123456

    ---

    I guess "rs12345" must be changed in "server.mydomainname.domains"

    Since it is a vserver I will have to ask the Provider if that does not cause problems with them.

    Also it seems that magicspam cannot handle IPv6, is that a known problem?

     

    Regards,

    Jan

    0
    Permalink
  • Avatar
    Maxim Krasikov

    Hello @Jan van Leeuwen,

    If the solution with changing hostname is not helpful, please contact Plesk support for assistance:
    https://support.plesk.com/hc/en-us/requests/new

    We don't have information about MagicSpam restrictions. I suggest contacting MagicSpam community or support available using the link below for assistance:
    https://www.magicspam.com/support.php

    0
    Permalink
  • Avatar
    Balvinder Singh

    I have Plesk 17.8.11 on Ubuntu 18.04.1 and facing the same problem. Not resolved by your steps you told me. https://www.topxlisting.com is the link you can see. 

    0
    Permalink
  • Avatar
    Nikita Nikushkin

    Hello @Balvinder Singh,

    We will be glad to take a look at the issue and figure it out!

    Please submit a request to the Support Department:

    How to submit a request to Plesk support?

    0
    Permalink
  • Avatar
    Mr bean

    Hello everyone! 

    I'm having a problem with my Astaro 8.306. The box does not sign outbound mail with a DKIM signature although I have set up everything according to this wonderful guide: DomainKeys DKIM setup guide for Astaro Security Gateway 

    The ASG seems to ignore the fact that I want to have all outgoing mails for my domain signed. I attached files containing an email header, the public/private key setup and the log for a single test  Windows Movie maker mail. 

    Does anybody see what I might be doing wrong? 

    0
    Permalink
  • Avatar
    Alexey Lapshin

    Hello, @Mr bean

    I have to inform you that in this article described an issue with DKIM verification in Plesk.
    For the DKIM-related issues in Astaro Security Gateway, it is better to contact their support.

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles