Problems with DNS records

[sbrothy]

TL;DR

Apparently I can't get my DNS DKIM records to work...

A silly prefix for this question I know but that was as close as I could get.

Initially I didn't really think of this forum as a place for intricate IT developer or adminstrator questions but I heard through the grapewine that there's a not insignificant number of retired IT folks here (*cough*). So let's give it a shot:

I'm hosting my little hobby website on a virtual Linux box:

Linux omecc.dk 6.17.0-23-generic #23-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 11 23:29:57 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux

I've (tried to) set up postfix, opendkim, opendmarc and my DNS records to be able to send and receive emails which was (is!) quite a nerdy tour de force!

Unfortunately opendkim-testkey still tells me that my DKIM key isn't secure:

root@omecc:/etc/opendkim/keys# opendkim-testkey -d omecc.dk -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/omecc.dk.private
opendkim-testkey: checking key 'mail._domainkey.omecc.dk'
opendkim-testkey: key not secure
opendkim-testkey: key OK
root@omecc:/etc/opendkim/keys#

I've tested permissions for every conceivable directory and file but I feel really stuck (or perhaps I just need some fresh air?).

An online DNS analyzer gives me this "lovely" picture:

https://ibb.co/g5sBGj4

I'm under the impression that CDS and CDNSKEY values are handled by my DNS provider. Maybe I need to fiddle with my DNSSEC settings but before I do that I would like to be sure I'm barking up the right tree.

Now I realize I could ask the people I'm paying for providing me with this service, but the subject is pretty technical. Someday when I get through their "tutorials", "already solved problems", and (oh god!) the AI guarding the entrance to support I will.

It would be nice if someone had an idea but I realize the info is scarce, there's a ton of config files and a million points of failure. Sometimes it helps to just articulate the problem though (or take a break).

 

[jack action]

I may be off the thread subject, and I haven't tried these options yet, but next time I will have to install email on a server, I will look into these options:

• Mail-in-a-Box
• iRedMail
• Modoboa

 

[sbrothy]

I may be off the thread subject, and I haven't tried these options yet, but next time I will have to install email on a server, I will look into these options:

• Mail-in-a-Box
• iRedMail
• Modoboa

No, you're still on subject. I've also considered just letting google handle my email. That would be so much easier! It just annoys me to give up!

 

[pbuk]

I've (tried to) set up postfix, opendkim, opendmarc and my DNS records to be able to send and receive emails

Even if you manage to set everything up correctly you will still have the problem that you will be sending email from an IP address that is probably blacklisted.

I've also considered just letting google handle my email.

Do it. Or if you want to send email from your own domain try a service like Amazon SES (cheap but tricky), or Postmark (easy but more expensive).

The time you save you can spend on fixing your website.

 

[sbrothy]

Even if you manage to set everything up correctly you will still have the problem that you will be sending email from an IP address that is probably blacklisted.

Why would it be blacklisted? Is my provider a notorious spam source?

Do it. Or if you want to send email from your own domain try a service like Amazon SES (cheap but tricky), or Postmark (easy but more expensive).

The time you save you can spend on fixing your website.

Ahaha, I walked right into that one! But yes, it's a work of "love" more than of the "mind". I used to code backend, RDBMS and embedded when I wasn't called upon to put out other people's fires.

Anyway, it'll never be fixed. I didn't even use a proper MVC setup. "Refactoring" is too nice a word for something that should really be burned if it weren't entirely etheral.

But seriously, thank you for the pointer. I'll have a look....

 

[pbuk]

Why would it be blacklisted?

Dunno...

Is my provider a notorious spam source?

They are better than they used to be, but spammers are always going to be a potential problem for cheap VPS providers. One line of defence is often to block all outgoing SMTP traffic - are you sure they aren't doing this?

Do you need a VPS anyway? Why not use a cheap cPanel web host which will have working email already set up?

Anyway, it'll never be fixed.

It's getting better already :). Next steps might be to use (valid) HTML 5 instead of (invalid, obsolete) XHTML and test what it looks like on a mobile phone.

 

[sbrothy]

Dunno...



They are better than they used to be, but spammers are always going to be a potential problem for cheap VPS providers. One line of defence is often to block all outgoing SMTP traffic - are you sure they aren't doing this?

Do you need a VPS anyway? Why not use a cheap cPanel web host which will have working email already set up?

You may well be right as I already admitted. It's just that I wanted to be my own SMTP server but really, the recipient probably wouldn't notice the difference anyway.

The annoying thing is that I'm so close. Only the last two DNSSEC records seems to be out of my reach.

I should probably really take the short route (especially now as my Windows laptop apparently died from... something). I fell asleep in front of it and the next morning it was dead as a doornail..

 

[sbrothy]

You may well be right as I already admitted. It's just that I wanted to be my own SMTP server but really, the recipient probably wouldn't notice the difference anyway.

The annoying thing is that I'm so close. Only the last two DNSSEC records seems to be out of my reach.

I should probably really take the short route (especially now as my Windows laptop apparently died from... something). I fell asleep in front of it and the next morning it was dead as a doornail..

EDIT: But I do this to have something to do and problems to solve, so it's kinda OK if it's not working. Then I have something to do!

 

[pbuk]

The annoying thing is that I'm so close. Only the last two DNSSEC records seems to be out of my reach.

DNSSEC has nothing to do with email, it is SPF, DKIM and DMARC you need for that, and all of those are set up (although your SPF record doesn't look right).

What happens when you try to send an email?

 

[sbrothy]

I'll have to come back to you on this. Right now it looks like I have some basic problems with session management!

 

[sbrothy]

I'll have to come back to you on this. Right now it looks like I have some basic problems with session management!

After having made changes to the code in any way I reset apache and dependencies, and delete the log files, using this script:

#!/bin/bash

systemctl stop php8.4-fpm
systemctl stop apache2
rm -rf /var/log/apache2/*.log
systemctl start apache2
systemctl status apache2
systemctl status php8.4-fpm

systemctl stop opendmarc
systemctl stop opendkim
systemctl stop postfix
rm -rf /var/log/mail.*
systemctl start postfix
systemctl status postfix
systemctl start opendkim
systemctl status opendkim
systemctl start opendmarc
systemctl status opendmarc

The result looks like this:

● apache2.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 14:58:30 UTC; 16ms ago
Invocation: cb66d8daa67841518322231ebc1639b4
Docs: https://httpd.apache.org/docs/2.4/
Process: 4401 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 4404 (apache2)
Tasks: 1 (limit: 4623)
Memory: 6.3M (peak: 6.3M)
CPU: 62ms
CGroup: /system.slice/apache2.service
└─4404 /usr/sbin/apache2 -k start

May 15 14:58:30 omecc.dk systemd[1]: Starting apache2.service - The Apache HTTP Server...
May 15 14:58:30 omecc.dk apachectl[4403]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/default-ssl.conf:1
May 15 14:58:30 omecc.dk systemd[1]: Started apache2.service - The Apache HTTP Server.
○ php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager
Loaded: loaded (/usr/lib/systemd/system/php8.4-fpm.service; enabled; preset: enabled)
Active: inactive (dead) since Fri 2026-05-15 14:51:39 UTC; 6min ago
Duration: 1min 32.558s
Invocation: 448b73eaa5a245c5b6cc3710f94c71fa
Docs: man:php-fpm8.4(8)
Main PID: 1203 (code=exited, status=0/SUCCESS)
Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0.00req/sec"
Mem peak: 51.8M
CPU: 174ms

May 15 14:50:05 omecc.dk systemd[1]: Starting php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager...
May 15 14:50:06 omecc.dk systemd[1]: Started php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager.
May 15 14:51:39 omecc.dk systemd[1]: Stopping php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager...
May 15 14:51:39 omecc.dk systemd[1]: php8.4-fpm.service: Deactivated successfully.
May 15 14:51:39 omecc.dk systemd[1]: Stopped php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager.
● postfix.service - Postfix Mail Transport Agent (main/default instance)
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 14:58:36 UTC; 19ms ago
Invocation: f99541eedae94cefa51ff4db93a8f789
Docs: man:postfix(1)
Process: 4434 ExecStartPre=postfix check (code=exited, status=0/SUCCESS)
Process: 4541 ExecStart=postfix debian-systemd-start (code=exited, status=0/SUCCESS)
Main PID: 4549 (master)
Tasks: 4 (limit: 4623)
Memory: 3.7M (peak: 3.7M)
CPU: 523ms
CGroup: /system.slice/postfix.service
├─4549 /usr/lib/postfix/sbin/master -w
├─4550 pickup -l -t unix -u -c
├─4551 qmgr -l -t unix -u
└─4554 trivial-rewrite -n rewrite -t unix -u -c

May 15 14:58:36 omecc.dk postfix[4483]: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_logloglevel=1
May 15 14:58:36 omecc.dk postfix[4495]: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_logloglevel=1
May 15 14:58:36 omecc.dk postfix[4504]: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_logloglevel=1
May 15 14:58:36 omecc.dk postfix[4523]: postfix/postlog: warning: not owned by root: /var/spool/postfix/etc/resolv.conf
May 15 14:58:36 omecc.dk postfix/postfix-script[4523]: warning: not owned by root: /var/spool/postfix/etc/resolv.conf
May 15 14:58:36 omecc.dk postfix/master[4549]: daemon started -- version 3.10.2, configuration /etc/postfix
May 15 14:58:36 omecc.dk systemd[1]: Started postfix.service - Postfix Mail Transport Agent (main/default instance).
May 15 14:58:36 omecc.dk postfix/qmgr[4551]: A8ACC1709B6: from=<www-data@omecc.dk>, size=362, nrcpt=1 (queue active)
May 15 14:58:36 omecc.dk postfix/qmgr[4551]: 76B871709FB: from=<www-data@omecc.dk>, size=399, nrcpt=1 (queue active)
May 15 14:58:36 omecc.dk postfix/qmgr[4551]: AF32D1709FE: from=<www-data@omecc.dk>, size=398, nrcpt=1 (queue active)
● opendkim.service - OpenDKIM Milter
Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 14:58:36 UTC; 10ms ago
Invocation: 5ad368738bd14e8fb347da0bd0cffc04
Docs: manpendkim(8)
manpendkim.conf(5)
manpendkim-lua(3)
manpendkim-genkey(8)
manpendkim-genzone(8)
manpendkim-testkey(8)
http://www.opendkim.org/docs.html
Process: 4560 ExecStart=/usr/sbin/opendkim (code=exited, status=0/SUCCESS)
Main PID: 4561 (opendkim)
Tasks: 6 (limit: 4623)
Memory: 2.2M (peak: 2.2M)
CPU: 16ms
CGroup: /system.slice/opendkim.service
└─4561 /usr/sbin/opendkim

May 15 14:58:36 omecc.dk systemd[1]: Starting opendkim.service - OpenDKIM Milter...
May 15 14:58:36 omecc.dk systemd[1]: Started opendkim.service - OpenDKIM Milter.
May 15 14:58:36 omecc.dk opendkim[4561]: OpenDKIM Filter v2.11.0 starting
● opendmarc.service - OpenDMARC Milter
Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 14:58:36 UTC; 15ms ago
Invocation: df334d94bad34cf1a939061a364a4f4b
Docs: manpendmarc(8)
manpendmarc.conf(5)
Process: 4571 ExecStart=/usr/sbin/opendmarc (code=exited, status=0/SUCCESS)
Main PID: 4572 (opendmarc)
Tasks: 6 (limit: 4623)
Memory: 2.2M (peak: 2.3M)
CPU: 14ms
CGroup: /system.slice/opendmarc.service
└─4572 /usr/sbin/opendmarc

May 15 14:58:36 omecc.dk systemd[1]: Starting opendmarc.service - OpenDMARC Milter...
May 15 14:58:36 omecc.dk systemd[1]: opendmarc.service: Failed to create reference to PID from file '/run/opendmarc/opendmarc.pid': Invalid argument
May 15 14:58:36 omecc.dk systemd[1]: Started opendmarc.service - OpenDMARC Milter.
May 15 14:58:36 omecc.dk opendmarc[4572]: OpenDMARC Filter v1.4.2 starting ()
May 15 14:58:36 omecc.dk opendmarc[4572]: additional trusted authentication services: mail.omecc.dk

Then I execute this PHP script:

<?php

define("ROOT_DIR", dirname(__FILE__));

$to = "sbrothy@mail.com";
$cc = "";
$subject = "SUBJECT";
$content = "CONTENT";
$content = wordwrap($content, 70, "\r\n");

$headers = 'From: sbrothy@omecc.dk' . "\r\n" . 'Reply-To: sbrothy@omecc.dk' . "\r\n" . 'X-Mailer: PHP/' . phpversion();
//$headers = "From: sbrothy@omecc.dk\r\nMIME Version: 1.0\r\nContent-Type: text\html; charset=iso8859-1\r\nX-Mailer' => 'PHP/' . phpversion()";

file_put_contents('php://stderr', "[" . __FILE__ .  "][" . __LINE__ . "][to=$to][cc=$cc][subject=$subject][content=$content]");

$success = mail("$to", "$subject", "$content", "$headers");

file_put_contents('php://stderr', "[" . __FILE__ .  "][" . __LINE__ . "][success=$success]");
  
?>

<pre>
<?php echo $success; ?><br/>
</pre>

<!-- script>
const _get = "/contact.php?status=" + (<?=$success?> ? "1" : "0");
location.href = _get;
</script -->

Even though the mail function returns SUCCESS I receive no email. Understandable when I check my DKIM DNS setting/key:

root@omecc.dk#: opendkim-testkey -d omecc.dk -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/omecc.dk.private
opendkim-testkey: checking key 'mail._domainkey.omecc.dk'
opendkim-testkey: key not secure
opendkim-testkey: key OK

So apparently the key is correct but there's still something wrong with some permissions somewhere...... and now I notice this line:

opendmarc.service: Failed to create reference to PID from file '/run/opendmarc/opendmarc.pid': Invalid argument

I'll fix that, but I'm sure that won't solve the problem.

 

[sbrothy]

The resulting mail.err file:

2026-05-15T15:12:34.540991+00:00 omecc postfix/smtpd[4927]: error: open database /etc/aliases.db: No such file or directory
2026-05-15T15:12:34.562333+00:00 omecc postfix/smtpd[4927]: fatal: unknown notify_classes value "resourece" in "resourece, software"

 

[sbrothy]

So I guess I have plenty to fix without bothering you people.... my apologies for now....

 

[sbrothy]

Got the output of the various systemctl status commands sanitized. Seems I don't even have a single warning now. My key is still "key not secure" though....

● apache2.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 21:22:49 UTC; 17ms ago
Invocation: 9953ffcd7ebb4c56b3d3fcdea1292558
Docs: https://httpd.apache.org/docs/2.4/
Process: 2034 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 2037 (apache2)
Tasks: 1 (limit: 4623)
Memory: 6.3M (peak: 6.3M)
CPU: 54ms
CGroup: /system.slice/apache2.service
└─2037 /usr/sbin/apache2 -k start

May 15 21:22:49 omecc.dk systemd[1]: Starting apache2.service - The Apache HTTP Server...
May 15 21:22:49 omecc.dk apachectl[2036]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/default-ssl.conf:1
May 15 21:22:49 omecc.dk systemd[1]: Started apache2.service - The Apache HTTP Server.
○ php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager
Loaded: loaded (/usr/lib/systemd/system/php8.4-fpm.service; enabled; preset: enabled)
Active: inactive (dead) since Fri 2026-05-15 21:22:05 UTC; 44s ago
Duration: 3min 14.120s
Invocation: af87d68cafa34977ace2dd60924be620
Docs: man:php-fpm8.4(8)
Process: 1204 ExecStart=/usr/sbin/php-fpm8.4 --nodaemonize --fpm-config /etc/php/8.4/fpm/php-fpm.conf (code=exited, status=0/SUCCESS)
Process: 1316 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/8.4/fpm/pool.d/www.conf 84 (code=exited, status=0/SUCCESS)
Process: 1800 ExecStopPost=/usr/lib/php/php-fpm-socket-helper remove /run/php/php-fpm.sock /etc/php/8.4/fpm/pool.d/www.conf 84 (code=exited, status=0/SUCCESS)
Main PID: 1204 (code=exited, status=0/SUCCESS)
Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0.00req/sec"
Mem peak: 51.9M
CPU: 175ms

May 15 21:18:49 omecc.dk systemd[1]: Starting php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager...
May 15 21:18:50 omecc.dk systemd[1]: Started php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager.
May 15 21:22:04 omecc.dk systemd[1]: Stopping php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager...
May 15 21:22:05 omecc.dk systemd[1]: php8.4-fpm.service: Deactivated successfully.
May 15 21:22:05 omecc.dk systemd[1]: Stopped php8.4-fpm.service - The PHP 8.4 FastCGI Process Manager.
● postfix.service - Postfix Mail Transport Agent (main/default instance)
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 21:22:56 UTC; 13ms ago
Invocation: 6d6480d2612a4ce9ab00c31b343f585b
Docs: man:postfix(1)
Process: 2067 ExecStartPre=postfix check (code=exited, status=0/SUCCESS)
Process: 2173 ExecStart=postfix debian-systemd-start (code=exited, status=0/SUCCESS)
Main PID: 2181 (master)
Tasks: 3 (limit: 4623)
Memory: 2.7M (peak: 3.9M)
CPU: 502ms
CGroup: /system.slice/postfix.service
├─2181 /usr/lib/postfix/sbin/master -w
├─2182 pickup -l -t unix -u -c
└─2183 qmgr -l -t unix -u

May 15 21:22:56 omecc.dk systemd[1]: Starting postfix.service - Postfix Mail Transport Agent (main/default instance)...
May 15 21:22:56 omecc.dk postfix/master[2181]: daemon started -- version 3.10.2, configuration /etc/postfix
May 15 21:22:56 omecc.dk systemd[1]: Started postfix.service - Postfix Mail Transport Agent (main/default instance).
May 15 21:22:56 omecc.dk postfix/qmgr[2183]: B0EBD1709F3: from=<www-data@omecc.dk>, size=398, nrcpt=1 (queue active)
● opendkim.service - OpenDKIM Milter
Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 21:22:56 UTC; 17ms ago
Invocation: ab105d3c28054ad0a387ae142aae32f4
Docs: manpendkim(8)
manpendkim.conf(5)
manpendkim-lua(3)
manpendkim-genkey(8)
manpendkim-genzone(8)
manpendkim-testkey(8)
http://www.opendkim.org/docs.html
Process: 2191 ExecStart=/usr/sbin/opendkim (code=exited, status=0/SUCCESS)
Main PID: 2192 (opendkim)
Tasks: 6 (limit: 4623)
Memory: 2.1M (peak: 2.1M)
CPU: 14ms
CGroup: /system.slice/opendkim.service
└─2192 /usr/sbin/opendkim

May 15 21:22:56 omecc.dk systemd[1]: Starting opendkim.service - OpenDKIM Milter...
May 15 21:22:56 omecc.dk systemd[1]: Started opendkim.service - OpenDKIM Milter.
May 15 21:22:56 omecc.dk opendkim[2192]: OpenDKIM Filter v2.11.0 starting
● opendmarc.service - OpenDMARC Milter
Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-05-15 21:22:56 UTC; 13ms ago
Invocation: 1dbae74a41894c9684d0451eb04fde16
Docs: manpendmarc(8)
manpendmarc.conf(5)
Process: 2202 ExecStart=/usr/sbin/opendmarc (code=exited, status=0/SUCCESS)
Main PID: 2203 (opendmarc)
Tasks: 6 (limit: 4623)
Memory: 2.2M (peak: 2.2M)
CPU: 16ms
CGroup: /system.slice/opendmarc.service
└─2203 /usr/sbin/opendmarc

May 15 21:22:56 omecc.dk systemd[1]: Starting opendmarc.service - OpenDMARC Milter...
May 15 21:22:56 omecc.dk systemd[1]: Started opendmarc.service - OpenDMARC Milter.
May 15 21:22:57 omecc.dk opendmarc[2203]: OpenDMARC Filter v1.4.2 starting ()
May 15 21:22:57 omecc.dk opendmarc[2203]: additional trusted authentication services: mail.omecc.dk

EDIT: But I'm still not sure my SPF record is correct... It's a veritable config nightmare. :) I used to run the developer test version of Debian so it sometimes crashed until I found a way to fix it. That seems like innocent fun compared to this.