"Key retrieval failed" messages

From: Rob Beckers <Rob_at_solacity.com>
Date: Thu, 28 Apr 2016 12:29:41 -0400

I just installed OpenDKIM on a Ubuntu box, that is running Zentyal. The
latter is a framework that presents a Windows domain controller
(opensource, running Linux), though for this discussion it simply runs
Postfix, Amavis, OpenChange under the hood.

Signing outgoing messages with DKIM is working fine. No issue there.
Verifying incoming DKIM signatures is a problem though, my mail.err log
is full of the following:

Apr 28 09:45:09 zentyal opendkim[11884]: 7405B240664: key retrieval
failed (s=k1, d=mail213.suw12.mcsv.net):
'k1._domainkey.mail213.suw12.mcsv.net' unexpected reply class/type (-1/-1)
Apr 28 09:45:16 zentyal opendkim[11884]: 798FA242E06: key retrieval
failed (s=p1211, d=cvent-planner.com):
'p1211._domainkey.cvent-planner.com' unexpected reply class/type (-1/-1)
Apr 28 09:46:03 zentyal opendkim[11884]: A2DFD240664: key retrieval
failed (s=20120113, d=gmail.com): '20120113._domainkey.gmail.com'
unexpected reply class/type (-1/-1)
Apr 28 09:54:51 zentyal opendkim[11884]: 5217D240664: key retrieval
failed (s=selector1-cunet-carleton-ca,
d=cmailcarletonca.onmicrosoft.com):
'selector1-cunet-carleton-ca._domainkey.cmailcarletonca.onmicrosoft.com'
unexpected reply class/type (-1/-1)
Apr 28 10:09:03 zentyal opendkim[11884]: 18B47240664: key retrieval
failed (s=ym1024, d=email.landsend.com):
'ym1024._domainkey.email.landsend.com' unexpected reply class/type (-1/-1)
Apr 28 10:24:42 zentyal opendkim[11884]: B2BAA242E04: key retrieval
failed (s=e2ma, d=e2ma.net): 'e2ma._domainkey.e2ma.net' unexpected reply
class/type (-1/-1)

When I test from the command line, to look up (for example):

dig -t txt k1._domainkey.mail213.suw12.mcsv.net

the output shows that this domain has a valid DKIM TXT entry in its DNS
records. Same for all the others in the list. The (-1/-1) seems to
indicate that no DNS reply came back (since it's the default the
class/type is set to), however, I can make those DNS queries just fine
with dig from the command line on the same machine as where OpenDKIM is
running.

OpenDKIM is set up to pass any problematic messages, so the mail is
still arriving fine. It would be nice though to have DKIM verification
for inbound messages. I've searched extensively but can't find a good
answer as to what could cause this, or how to go about troubleshooting this.

Any help would be greatly appreciated!

-Rob-
Received on Thu Apr 28 2016 - 16:30:06 PST

This archive was generated by hypermail 2.3.0 : Thu Apr 28 2016 - 16:36:01 PST