Open DKIM Keys Do Not Match Error

Setting up my Postfix email server has been quite the experience. From the start it was an uphill battle trying to figure out error after error. One error that took me a while to figure out related to the Open DKIM service I use to digitally sign and verify emails originating from my server.

Using online email tools to test my spam score I kept running into problems with DKIM. One error I kept getting was “DKIM bad rsa signature.” This was despite having generated public/private DKIM keys and publishing the public key to my DNS records.

I said okay, I’ll login to the server and test the keys.

I used the opendkim-testkey command to test Open DKIM:

opendkim-testkey -d adamstrickfaden.com -s mail -vvv -k /etc/opendkim/keys/adamstrickfaden.com/mail.private -x /etc/opendkim.conf

This produced the following error:

At least I had tracked down the problem. This command was apparently querying my DNS records to pull the public key to test against my private key. For some reason the public and private keys were not playing nice with each other. I figured it must have been a typo in my DNS records but decided to generate a new private/public key pair to start fresh. This is an easy solution when you’ve exhausted all other possibilities.

Generating a new key pair:

#opendkim-genkey -s mail -d example.com -b 1024

In my case I’m generating a 1024 bit key because of a 255 character limit from my domain provider. Be sure to change ownership of both the public and private key to the opendkim user. Permissions should be set to 0600.

After generating the new keypair I took the Public key from mail.txt and copied it into the DKIM TXT record in my DNS settings. Here’s what the record looks like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhhNjy8VLhvvKgbJrio4Mk5GAHbPXItDatSDZAOcMjSNxellhKFL3qZau7Ai+lKbgSR1NTRitPqyMqJug/1UA32Qxc0bqdFZjQYCkM7/OscjIQEsIOgElTEhRqiSSP+BLaMMOeWlXIJ/t2XC2GReJD9PQCF1Vxo1yK/oCrmbUp7wIDAQAB; s=email

I reloaded both the Postfix and Open DKIM services and boom, DKIM started working and signatures were good to go.

Leave a Comment