Commodore
Commodore
1048 views

DKIM troubleshooting

Jump to solution

Hello there,

I configured DKIM signing in the SMG/SLES appliance. Generated keys in Domain Management. Public key added in DNS. Checked record with online tool -> OK.

Then send a message and checked it with https://www.appmaildev.com/en/dkim. Result: DKIM none. Double-checked with gmail on the security button: no encryption.

How can I check in the logs what goes wrong?

I see in the supervisor log this:

[139824307939072] 2020-04-09 19:58:35 (DBCB) DB notification: dkimupdate
[139824341509888] 2020-04-09 19:58:35 (dkim) Processing DKIM signature updates start
[139824341509888] 2020-04-09 19:58:35 (dkim) Add/update DKIM record for d=meerdaneen.nl, s=20200409
[139824341509888] 2020-04-09 19:58:35 (dkim) Processing DKIM signature updates complete

Anyone?

 

 

 

 

0 Likes
19 Replies
Micro Focus Expert
Micro Focus Expert

SMG offers two parts to DKIM:

1) DKIM signing -  https://www.novell.com/documentation/secure-messaging-gateway/secure-messaging-gateway/data/t44kudeqbeaz.html

2) DKIM verification - https://www.novell.com/documentation/secure-messaging-gateway/secure-messaging-gateway/data/t4462m6nhr4z.html 

This release fixed the DKIM signature, that wasn't being attached. If that is the part that still isn't working for you I would recommend opening a ticket with support.

View solution in original post

0 Likes
Commodore
Commodore

Hello @suziew Susiew,

It did work after recreating the keys indeed as @ketter explained earlier!

 

 

0 Likes
Commodore
Commodore

Hello all / @suziew

The creation of a DKIM policy for incomming message is not clear to me. Can anyone explain?

- Imho all messages should be scanned for a valid DKIM. DMARC policy should decide of the email is accepted or not.  Does this SMG policy check DMARC for the acceptance policy?

- So why should I specify a domain in the search criteria field?

- If I have to specify a domain in the search criteria field, ar wildcards accepted? Like *@testdomain.com?

0 Likes
Micro Focus Expert
Micro Focus Expert

I'm glad you were able to get it working after recreating them, like Ken suggested.

 

You may end up with false positives (since every domain sending to you may not have a DKIM signature yet), if you don't specify which domains you want to check for, such as banks etc.

 

Yes, wildcards work. You can list them as *domain.com or *@domain.com.

0 Likes
Commodore
Commodore

@suziewOK. That's clear. And with this we take a very important step (happy for now!)

But officially it works like this:

DMARC record of the sender domain has a policy 'none', 'quarantine', or 'reject'.  It tells recipients what to do if both SPF and DKIM fail.

But SMG implements it different: if DKIM fails, mails should be blocked or quarantined (whatever we choose) without looking at the policy in the DMARC record.

Enhancement request?

 

0 Likes
Micro Focus Expert
Micro Focus Expert

@JvdMeij Yes, that would be a great enhancement request. Here's a link to where it can be requested, if you need it: https://community.microfocus.com/t5/Secure-Messaging-Gateway-Idea/idb-p/SMG_Ideas

Commodore
Commodore
done!
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Thanks!  I added my vote to it.

Here is the link if anyone else sees this and wants to add votes:  https://community.microfocus.com/t5/SMG-Idea-Exchange/DKIM-check-for-incoming-messages/idi-p/2778555

--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums!
Don't forget to Like helpful posts and mark Solutions!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.