DKIM key was provided incorrect


(Hwan) #1

Hi there,

I’m a business user. http://forum.brightstorm.com

I set up our domain and SPF, DKIM. But it is only sending a email to user@brightstorm.com
I tried to my personal Gmail account. but I can not receive it. It is also not on spam box.

I think discourse hosted server has a problem. Moreover, I couldn’t change mail server. I’d just like to change sending server to mandrill instead of discourse hosted mail server. discourse/INSTALL-email.md at master · discourse/discourse · GitHub

How can I solve this problem?

Thanks,
Hwan


(Jeff Atwood) #2

Well let’s see:

https://meta.discourse.org/t/configure-your-domain-for-discourse-hosted-email/14177/2?u=codinghorror&source_topic_id=23931

SPF checks out:

SPF record lookup and validation for: brightstorm.com

SPF records are published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:datadrivenemail.com include:_hostedspf.discourse.org ~all 

DKIM checks out too:

DKIM Record for discourse._domainkey.brightstorm.com

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J
/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrK
sn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKy
nO8/lQIDAQAB;

This is a valid DKIM key record

I sent a test email from Admin, Email and indeed, DKIM is unhappy:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of noreply@brightstorm.com designates 2001:470:1:3c2::b as permitted sender) smtp.mail=noreply@brightstorm.com;
       dkim=fail header.i=@brightstorm.com
Received: from localhost.localdomain (tiefighter6.discourse.internal [10.0.0.6])
	by tieinterceptor2.discourse.org (Postfix) with ESMTP id 6010DA0005
	for <name@gmail.com>; Tue, 13 Jan 2015 22:09:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=brightstorm.com;
	s=discourse; t=1421186970;
	bh=CLr4dgO5S758AGcNmwc1tBrh7ev2oVN83E2qqpBvFws=;
	h=Date:From:Reply-To:To:Subject:From;
	b=ZN9FZT8QwEy+H5k+t/wwC9Uoy1GLdXqS6SeOszdv/32HVSeHk0yn/RN4koGsoN1t3
	 +QJsjkJp/l371sEi/8rdzfpP0sQ1qbHA1iTmmHHFL9FwxBeckltu4/p1gHo+Mknqq7
	 NRUPDMqOKgP1EQShvmrOA/d3rfJtU5yIST+2rhtA=

It looks like something is modifying the email between you and us?

Are there any intermediate email services or steps between the mail being sent and it arriving in your mail inbox?

We’ll check on our end as well, but we have other customers getting DKIM and SPF pass using the same paths and certs.


(Hwan) #3

I just using discourse hosted service. I don’t think there is no intermediate service between you and use.

Please check hosted server configuration.

Thanks!


(Jeff Atwood) #4

Agreed – looks like our catch-all DKIM signing is somehow not working, but works for earlier domains. @supermathie can you give this a look tonight?


(Michael Brown) #5

Ah - this is the problem. The DKIM record is syntactically correct but is set up using the wrong key.

The records should look like:

discourse._domainkey.brightstorm.com IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCojtk3fqF69pT6SZcIwoYzjQfdOBTFK7AOyxEGBwHLZ+xqwQQlVgfL6xFZ7FhCYAczkGTCjdChX/qf6dg4LrtXrb+apymj9WpLOwPir6P5Mv9FH3t3BgrQeyyCLhAHqDrUk+kU3B2z1uva3oWw3qN9MLZaX8HjR13w9ywVEgzjpQIDAQAB"
mandrill._domainkey.brightstorm.com IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB"

The reason the signature check is failing is that our signature is trying to be verified against the mandrill public key - that ain’t gonna fly.

For future reference, the result we get from a DKIM check for a hosted domain should be:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCojtk3fqF69pT6SZcI
woYzjQfdOBTFK7AOyxEGBwHLZ+xqwQQlVgfL6xFZ7FhCYAczkGTCjdChX/qf6dg4LrtXrb+apy
mj9WpLOwPir6P5Mv9FH3t3BgrQeyyCLhAHqDrUk+kU3B2z1uva3oWw3qN9MLZaX8HjR13w9ywV
EgzjpQIDAQAB

Version
    v=	DKIM1
Key type
    k=	rsa
Public key
    p=  MIGfMA0GCSqG...jR13w9ywVEgzjpQIDAQAB

If you have trouble, please feel to let us know immediately rather than changing configuration as we can help with the diagnosis. For example, I’m about to PM you the email logs from the first few messages you apparently tried sending and they show they were indeed delivered to gmail. If you’re having deliverability problems beyond that we can help ensure SPF and DKIM are correctly setup.


(Jeff Atwood) #6

Aha so the wrong key is being used, make sure your DKIM is correct:

v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCojtk3fqF69pT6SZcIwoYzjQfdOBTFK7AOyxEGBwHLZ+xqwQQlVgfL6xFZ7FhCYAczkGTCjdChX/qf6dg4LrtXrb+apymj9WpLOwPir6P5Mv9FH3t3BgrQeyyCLhAHqDrUk+kU3B2z1uva3oWw3qN9MLZaX8HjR13w9ywVEgzjpQIDAQAB

(edit, was wrong key, this is correct ^^^)


(Hwan) #7

I’ve updated new DKIM key. Thanks check this problem @codinghorror @supermathie

DKIM is passed through, It couldn’t reach at Gmail account.

This screenshot from brightstorm.com email account. SPF and DKIM are passed.
Dropbox - Error

Please check it one more time.


(Michael Brown) #8

Since brightstorm.com is hosted at gmail, it is a gmail account.

If you’re having trouble sending to a specific email address, let us know which one and we’ll check our logs. Be sure you have the correct DKIM key in DNS (the incorrect one is still showing).


(Robin Ward) #9

I just tried it again too and can confirm the DKIM is still failing, even with the new key.


(Michael Brown) #11

It’s still incorrect - it’s still showing Mandrill’s public key.

@ihwan, please change the key to:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCojtk3fqF69pT6SZcI
woYzjQfdOBTFK7AOyxEGBwHLZ+xqwQQlVgfL6xFZ7FhCYAczkGTCjdChX/qf6dg4LrtXrb+apy
mj9WpLOwPir6P5Mv9FH3t3BgrQeyyCLhAHqDrUk+kU3B2z1uva3oWw3qN9MLZaX8HjR13w9ywV
EgzjpQIDAQAB

(Hwan) #12

@supermathie I’ve updated it now.


(Jeff Atwood) #13