DKIM : Signature header exists but is not valid

Question

I have configured Postfix with SPF and DKIM but all emails are marked as spam.

Here is my domain.db (I use bind9) :

...
mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; p=ABCD" )

I verify with :

host -t TXT mail._domainkey.domain.com

I receive (OK) :

mail._domainkey.domain.com descriptive text "v=DKIM1\; k=rsa\; " "p=ABCD"

I've checked also what could be the problem on email-tester.com, and I get 10/10, DKIM seems also correctly installed.

But when I check the content of an email, I see :

...
dkim:pass
dkim:pass
SPF:pass
...
X-Spam-Report: 
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* -0.0 NO_RECEIVED Informational: message has no Received headers
*  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

X-Spam-Status: No, score=0.0 required=5.0 tests=NO_RECEIVED,NO_RELAYS,
T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.0

Any idea ?

----- UPDATE -------

After adding in master.cf :

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Here is the new email content :

...
dkim:pass   (now there is only one: OK)
spf:pass 
...
X-Spam-Report: 
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP

X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham
autolearn_force=no version=3.4.0

which seems better, but the email is still marked as spam, grrr

Answer 1

A working SPD DKIM config does not necessarily lead it to not beeing categorized as spam.

I had to find that out escpecially from virtual hosters or cloud server/mail providers the ip ranges of them have a generally bad reputation which means even without sending spam before from the url and fresh DKIM SPF ect. the mails still go directly to junk (for example in office 365 which have a very strict unforgetting spam filter) because the IP belongs to a range that is generally marked with a bad reputation, or some spammer used the IP in the past...

(I did my testing with a custom DigitalOcean server postfix/opendkim and a free Mailgun account, Mailgun seems to offer dedicated IPs hopefuly without a ba drep as it seems in some blog posts)

Of course this is very annoying but of course also Marketing mail from SPFed and DKIMed servers get marked as Spam therefore big providers seem to go to the IP level ... I also read that especially office365 has some system that takes user feedback into account and assigns the negative spam markts back down till the IP.

Answer 2

Here's what's going on with your SPF record.

Go to this link and change the DNS Server to `Google Public DNS (8.8.8.8)

https://www.unlocktheinbox.com/dnstools/spf/luckeo.fr/

The results of your SPF will be v=spf a mx ip4:176.58.101.240 ~all

Now change it to DNS Advantage (156.154.70.1)

The results of your SPF will be v=spf1 a mx ip4:176.58.101.240 ~all

Notice the difference v=spf vs v=spf1

So your DNS hasn't propagated yet and depending on how the receiving email server looks up your DNS Records you're running into issues. Wait 24 hours and if you're still having issues, reply back.