Back to Community Threads
Can not activate DKIM for a domain
Problem reported by David - 8/29/2023 at 10:57 AM
Submitted
D
I have 2 domains on Smartermail. On one, DKIM was activated a long time ago (some much older SM version) and that works.
On another domain I am trying to activate DKIM today. I have put a DNS record, it's active, it's propagated, I can check it with any global propagation tool and all is well.
However, when I go back to Smartermail and click Enable button it starts DNS checking and then reports (again and again): "Before enabling DKIM Email Signing, the TXT record below must be added to your DNS server."
I have done that already many hours ago. I tried regenerating the key and putting a new key in DNS TXT record. Waited for propagation, but still SM doesn't want to activate DKIM. It looks like SM doesn't check DNS properly - it's unable to see that the record exists on my DNS and won't let me activate DKIM.
D
David Replied
8/29/2023 at 11:00 AM
This is the TXT record SM want me to create:
Record name: 8DBA8A503B29CA2._domainKey
Record value: v=DKIM1; k=rsa; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2xQYKyM1+4T/Dr/sx/HgnEA4UFBWdRESxdsegfR7RbuZkWwn5ONC27Xe+RE3lnMkpkfWFvUHgEJmAD6gxchhZyMjZzOtu+KUDgP8se1SlWp129YRq/h4VJOaFECmxdl71dIeqXt6JsyVx2UO+GCbOmSXan0iFja+9MQJANxWkgwIDAQAB

And this is the record that I've created: 8DBA892D3004272._domainkey.lambda.hr
I can check the record via any online DNS tool and confirm that it's added corrently.

> dig 8.8.8.8 8DBA892D3004272._domainkey.lambda.hr TXT +short

"v=DKIM1; k=rsa; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2xQYKyM1+4T/Dr/sx/HgnEA4UFBWdRESxdsegfR7RbuZkWwn5ONC27Xe+RE3lnMkpkfWFvUHgEJmAD6gxchhZyMjZzOtu+KUDgP8se1SlWp129YRq/h4VJOaFECmxdl71dIeqXt6JsyVx2UO+GCbOmSXan0iFja+9MQJANxWkgwIDAQAB"
Why doesn't SM see the record ? SM is configured to use 8.8.8.8 and 1.1.1.1 for DNS. When I check the record with nslookoup or dig I can see it's there and looks exactly the same as the one above.

I've tried restarting the whole server (in an effort to purge any caches) but nothing helps.

The domain I'm trying to active DKIM on is, obviously, "lambda.hr".
Zach Sylvester Replied
8/29/2023 at 12:02 PM
Employee Post
Hey David, 

Thanks for reaching out. Please try the following. 

  1. Go to Settings->General 
  2. If blank add 1.1.1.1 as primary and 8.8.8.8 as secondary DNS 
  3. Save
  4. Try to enable DKIM.


  1. If there are already DNS servers entered in please remove the entries. 
  2. Save
  3. add 1.1.1.1 as primary and 8.8.8.8 as secondary DNS
  4. Save
  5. Try to enable DKIM. 
Let me know if this helps. 

Thanks, 
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
D
David Replied
8/29/2023 at 1:35 PM
Hi Zach,
These DNS server were already in place. I followed your post to:
1. remove them
2. save
3. re-add them
4. save
5. Tried to enable DKIM

Unfortunately that didn't help.
echoDreamz Replied
8/29/2023 at 1:50 PM
I have had a ticket open about this... there really needs to be an "force" option to enable DKIM regardless of DNS check results.
D
David Replied
8/29/2023 at 1:56 PM
I agree with that. That used to be possible - they changed the UI in newer versions, now it's not possible. Seems like everyone is driving the "dumb users" train...
D
David Replied
8/30/2023 at 5:19 PM
Well... At some point I pushed the "regenerate keys" button and that changed the required DNS record from 8DBA892D3004272._domainKey to 8DBA8A503B29CA2._domainKey. A slight change, but I missed it, so I created the wrong entry in DNS. So that was the reason it didn't work. But it still took ages for my fix to propagate and I wasn't able to complete this without waiting for a whole day before it finally worked.

What can I say now about "everyone driving the dumb user train"... :)
echoDreamz Replied
8/30/2023 at 8:55 PM
Yup... there 10000000% needs to be a force option.
What is your TTL on the TXT record in your DNS settings in your controlpanel?
D
David Replied
8/31/2023 at 5:17 AM
@echoDreamz Actually it looks like I was the dumb user in this case ;)

@Brian For TTL I've put 14400. Previously, when testing, I had it at 300.
D
Daniel DiGello Replied
5/21/2024 at 3:27 PM
Has anyone got this to work?  I've kept the mail server internal for now since most servers send to this machine and relay from there as well normally don't need any ports opened up for a DKIM DNS record to be recognized in the world of DNS.   I opened a ticket but asking the team here.
Kyle Kerst Replied
5/23/2024 at 4:34 PM
Employee Post
One thing you can do in instance where you're waiting for propagation is forcing a /flushdns on the SmarterMail server using ipconfig /flushdns which should cause us to get the updated DNS record the next time we check. This won't help in scenarios where the DKIM record is unreachable via DNS however and for that I recommend setting primary/secondary DNS (in Settings>General) to a known good DNS host temporarily such as:

1.1.1.1 (Cloudflare DNS)
8.8.8.8 (Google DNS)
Kyle Kerst Lead Internal Network/System Administrator SmarterTools Inc. smartertools.com
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Setting up Email Signing (DKIM) for a DomainSmarterMail > Domain/User Configuration and Management
SmarterMail, LDAP, and Active DirectorySmarterMail > Server Configuration and Management
Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Key Feature and Version Milestones in SmarterMailSmarterMail
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management