DKIM FAIL with domain null in GMail

Question

I'm getting a DKIM: FAIL with domain null error in GMail. When I go to See Original in GMail, I get dkim=fail header.i=@example.com;.

In my DNS I have the following TXT Records:

DMARC TXT Entry: _dmarc v=DMARC1;p=reject;sp=reject;rf=afrf;pct=100;ruf=mailto:authfail@example.com;rua=mailto:mailreport@example.com;ri=86400

SPF TXT Entry: example.com

v=spf1 +a +mx +ip4:70.xxx.xxx.xxx +ip4:71.xxx.xxx.xxx +ip4:72.xxx.xxx.xxx ~all

DKIM TXT Entry: _default._domainkey

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/HYr74H9Ty6HjTpjawYIfiDa7kOPx+0GJiw4rw7IYkfvrfrLojmGLuS4lg3NbIqYmLg9Ziz77q9vVT15ftrFB1+lTz6+Ei19b6AM8FGCJoDWRHRwB+YN0InJaFs/kPfy1SktqQI8TntPNfH2+tTOUrIT1gi8fjwSnfSkUsbNuSpIp3XrAU6pYzEjXF2h1A3UMFV+7+jLRzEvunj2YCsJ3vaifTihat+Nsw7eP5L2iAzW8b0joP3z6k/UkhUa7/35oNC4Xn1dY532irsBunMJz9QsBxIaNpepiZZkTxfglsq2RP4FWGZbiVFRDDcvsnpi4kFx3eAQtAoo+szLA70FQIDAQAB

I tested my records via https://www.mail-tester.com/spf-dkim-check and http://dkimcore.org/tools/keycheck.html and it all checks out. Public Key is 2048-bit. I read the GMail was failing DKIM with smaller keys.

I also tested it with http://unlocktheinbox.com and at the DKIM Validation Check it says:

Signature Found:    Yes
SmarterMail DKIM Test:  Failed - Bad Signature
MailBee.NET DKIM Test:  Failed - SignatureInvalid

GMail doesn't seem to have any issues with my SPF and DMARC. Here's the authentication-results for those:

spf=pass (google.com: domain of sender@example.com designates 70.xxx.xxx.xxx as permitted sender) smtp.mailfrom=sender@example.com;


dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

My emails are hosted/sent from http://inmotionhosting.com. My DNS is at CloudFlare.

What am I doing wrong or missing here?

Thanks!

Answer 1

Check the DKIM signature in the header. The diagnostic messages seem to indicate that the domain field (d=) is empty or missing. Ensure you are supplying your domain when you sign the emails. The DKIM header should look something like the following:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=example.com; s=201602; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Date:Message-ID:Subject:From:To;
    bh=GUIz2zzhMS1zh+o3BSEHOEq5KPzYRRlG+wqnc7+1vNM=; b=Q0LXbOPly2f1Ns6kpuS5e6dykT
    mefOZ8WX5tzNR0jD4Mqttg9IDutAE25M3FR+1UXcnakHCIsj+ELuoqafHvu/1av6vvAhZXMudoo/V
    wz3FDWwUnOroIaDPLvSR9RgBA/SHpPL9REEpCtN5WDnWDQK4P69CygrX+zbyh60aZVhE=;

Answer 2

Try removing quotation marks from the TXT, if you have them.

That is: replace "v=DKIM1; ..." with v=DKIM1; ... in your TXT DNS entry.

For me, this solved the topic's error message. I used Cloudflare as DNS.

I got hang of it with https://mxtoolbox.com (dkim:example.org:mail).

With quotation marks, the tool didn't recognize the DKIM1 "TagValue" and showed "Unknown" in the "Name" column.

But, without quotation marks, that column turned into "Version" and "Description" into "The DKIM record version."

And Gmail Show original turned into "PASS with domain example.org".

Answer 3

Having had a similar issue today - GMail complaining about null domain, while original message reports both passing and failing DKIM, ... and the DKIM-signature header including the proper d= field, I finally found that the problem was not the signature itself, rather the message being rewritten at some point.

I used to have some smtp_generic_maps = regexp:/etc/postfix/masquerade directive, in my /etc/postfix/main.cf, rewriting the FROM address of some outbound messages.

Turns out GMail is now confirming my DKIM signature is valid, since I commented out masquerading. Pebkac. And surprised by that GMail error message: confusing, if not wrong.