Join Log in
Score:0
avatar Server

DKIM_INVALID in Spamassassin only for emails sent from other emails in the same server

tr flag
Pikk

I have postfix/dovecot running with spamassassin on Centos.

PROBLEM:

  • The VPS acts as a mail server
  • Spamassassin edits the email subject and adds [SPAM}
  • Ms. Outlook on Windows moves those emails to the Junk folder
  • The above happens ONLY if an email is sent from the VPS to another address on the same VPS machine
  • The above problems does NOT happen if I send emails from this VPS to another email account on antoher server that also uses Spamassassin

I have Wordpress blogs with WP_SMTP plugin. And they're configured to use SMTP to send emails.

When I send emails from contact forms on the blogs, I receive emails in the "SPAM" folder. I noticed that the headers are:

spamd[12042]: spamd: result: . 0 - ALL_TRUSTED,DKIM_INVALID,DKIM_SIGNED,HTML_MESSAGE,T_SCC_BODY_TEXT_LINE scantime=30.1,size=3544,user=vmail,uid=994,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56530,mid=<[email protected]>,autolearn=no autolearn_force=no

WP_SMTP has a test feature. I can choose to which email address send a test email. If I choose one of the email addresses handled by my post server, they also are marked with DKIM_INVALID.

However if I send exactly the same test email to mail-tester.com this is what I get: https://www.mail-tester.com/test-5oyf5qlg5

10/10 and DKIM is fine.

Also dmarcian says DKIM is fine.

When I send an email from my server to a different email on my server (on different domains), they also get DKIM_INVALID.

Can anyone please help to make spamassassin stop marking emails sent from Server X to Server X as spam (DKIM_INVALID)?

Or maybe I can get more info, logs, etc that can help to find an answer to this problem?

IMPORTANT! The server is using Unbound. I had to use Unbound, because Spamassassin was reporting:

ALL_TRUSTED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_IN_TO_AND_SUBJ,HTML_MESSAGE,MIME_HTML_ONLY,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED

And I was told that many blacklisting services don’t allow queries from freely available DNS servers, and that includes (or may include) whatever DNS my provider provides me fro DHCP/

As soon as I start to use Unbound and I change

/etc/resolv.conf
options trust-ad
; generated by /usr/sbin/dhclient-script
search localdomain
nameserver 62.149.128.4
nameserver 62.149.132.4
nameserver 2001:4860:4860::8888

to:

nameserver ::1
nameserver 127.0.0.1
options trust-ad

Spamassassin stops adding URIBL_BLOCKED and starts adding DKIM_INVALID

EDIT - new test on dkimvalidator:

DKIM Information:
DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anahatatantra.com;
    s=default; t=1651780260;
    bh=WOwAVylmbsjOThr0t5u3PrLcNjOVp9SrbUgzVixBh7I=;
    h=From:To:Subject:Date;
    b=DCJ9L1ik8gcbohyaqB4pXqcmqa32+Y3F7sbSDnqQ7M1S0D/5/MdfEd1b2MIh8HQfB
     Mpui8c2TdpbDSmakosk99bgBPjFHe5i3cW1lmxJKrIlT5/wBvRVejg+PtmnIbIre+S
     XNakG1D1AzcUmpv2fBVoZGFv+0eT9Hub0LM5ouV4=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/simple
d= Domain:          anahatatantra.com
s= Selector:        default
q= Protocol:        
bh=                 WOwAVylmbsjOThr0t5u3PrLcNjOVp9SrbUgzVixBh7I=
h= Signed Headers:  From:To:Subject:Date
b= Data:            DCJ9L1ik8gcbohyaqB4pXqcmqa32+Y3F7sbSDnqQ7M1S0D/5/MdfEd1b2MIh8HQfB
     Mpui8c2TdpbDSmakosk99bgBPjFHe5i3cW1lmxJKrIlT5/wBvRVejg+PtmnIbIre+S
     XNakG1D1AzcUmpv2fBVoZGFv+0eT9Hub0LM5ouV4=
Public Key DNS Lookup

Building DNS Query for default._domainkey.anahatatantra.com
Retrieved this publickey from DNS: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXSuXbbxQjrqMX01rwXL8qMwUxCZrjFPnZokm6TyCj9bY5c96148UKFfiOWcfAhTmIC//pL3f08Pk8scBSM34pRQ8mYQhhjnXR2JMPIeJOZ9eAparHJfxk6PNd/5O/aXzVC+1RFtSWLaUilnA+Jdafkhe/4zZ8/kKMuzxaatGXcwIDAQAB
Validating Signature

result = pass
Details:

The test passes.

Thus seems to me there is no difference to emails sent "outside", for example to mail-tester, or dkimvalidator.

The problem seems to be only server related, when emails are sent from the same server to the same server.

53
0 + 0
tr flag
Pikk
I've updated the question. In https://dkimvalidator.com/ it always has the same status. No matter if I configure `/etc/resolv.conf` with `nameserver 127.0.0.1` or `nameserver 62.149.128.4`. However Spamassassin in my server detects DKIM_INVALID if emails are being sent using `Unbound` and `/etc/resolv.conf` with `nameserver 127.0.0.1`. And are VALID (but fires the `URIBL_BLOCKED` rules if `/etc/resolv.conf` has the nameservers it receives from DHCP. Only inside the same machine. Outside doesn't seem to have any difference in tests.
0
Reply
djdomi avatar
za flag
djdomi
dont use public resolver
0
Reply
tr flag
Pikk
I confirm that "body has been altered" is not an issue as it's related to some unicode signs in the email. If I sent email with different text the signature passes with `result = pass`. Thus I confirm that the problem is only with Spamassasin inside the same machine that sends emails. Outside in external servers all is fine. P.s. I don't understand what I can do otherwise. I stopped using the DNS I used to receive by DHCP. Now it's using `Unbound`. Thanks to this the rule `URIBL_BLOCKED` is not firing anymore.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.