I have created a DKIM record at one of my hosting sites (pair.com) using their automated system. I created a TXT record with the DKIM host and key on my DigitalOcean DNS server.
If I send an email via Thunderbird, DKIM passes. When Discourse sends out an email, using the exact same server/account information, I get:
dkim=neutral (body hash did not verify) header.i=@knysnayachtowners.org header.s=pair-202409020848 header.b=UW+zWBx8;
What am I doing wrong?
DKIM signing happens on the sending mail server, i.e. after Discourse has given it to the SMTP server it’s configured to use.
If you’re seeing a hash mismatch, that suggests either the email has been modified after being signed or the key pair doesn’t match.
If you’re definitely using identical details in Thunderbird and Discourse (have you restarted the container to make sure it’s using the details you have in app.yml?), I would be surprised if it’s getting signed with a different key or using a different selector so I would expect to see the same result if the key pair didn’t match.
Could it be that the from address differs and your mail provider is signing differently based on that?
Essentially, something is happening after it’s left Discourse. If you can’t find an obvious cause like the from address, you might need to contact your mail provider to find out what’s happening.
As suggested, you need to change notification email to an address in the domain you configured to send mail for.
I ran a series of additional tests and found that the problem was that the TO address that I was testing with, forwarded the mail to Gmail. If I sent the mail directly to Gmail, the hash passed.
However, this still confuses me as I look at the headers of other mail sent to this address, and the DKIM hash passes. Why would this be different?
Gmail doesn’t see that DKIM. Google is very strict about that. The main reason for that is sending server isn’t what an admin thinks it is.