Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problem with DKIM associated domains
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with DKIM associated domains
Hello,
I've got a problem with my DKIM on associated domains. When people receive mail from us, for parent domain no problem, i've :
dkim=pass (signature was verified)
but for associated domains dkim can't be verify, i've :
dkim=fail (signature did not verify)
i've the same key on all my parent and associated domain, In Domain "DKIM signing for outgoing email" is enable, an in session "Enable DKIM signing for outgoing messages" is also enable.
Could you tell me what is wrong in my settings ?
Thanks
Labels:
- Labels:
-
FortiMail
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
- When you show the source of the received mail (mail headers) for the mails that are sent from the associated domains, do you see the DKIM signature as for the mails from the parent domain?
- Is the DKIM selector in mail headers looks the same as the DNS record name of the DKIM public key?
- Do you see this behavior when you send to other mail servers (like gmail and others)?
- Have you enabled DKIM signing for all domains under menu Domains & Users > Domains? And for all outgoing session profiles?
- Can you ask the remote admins to check further in the mail gateway logs to try find more logs about the DKIM failure? I mean to see if the signature was wrong, if the selector was not found in the public DNS, or any other relevant logs
- Can you ask the remote admin to run dig/nslookup from his side to check if he can see the selector on your public DNS? (like dig selector._domainkey.example.com)
AEK
AEK
Created on 07-09-2024 07:29 AM Edited on 07-09-2024 07:34 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
- When you show the source of the received mail (mail headers) for the mails that are sent from the associated domains, do you see the DKIM signature as for the mails from the parent domain?
- Yes i see it with the good selector
- Is the DKIM selector in mail headers look the same as the DNS record name of the DKIM public key?
- Exactly the same
- Do you see this behavior when you send to other mail servers (like gmail and others)?
- Try with M365 and Gmail same behavior, and all serious provider also.
- Have you enabled DKIM signing for all domains under menu Domains & Users > Domains? And for all outgoing session profiles?
- Yes and Yes
- Can you ask the remote admins to check further in the mail gateway logs to try find more logs about the DKIM failure? I mean to see if the signature was wrong, if the selector was not found in the public DNS, or any other relevant logs
- I'm the administrator for the fortimail and M365, no problem in log
I'v read this on internet, is that true ? no dkim for associated domains ?
https://www.fortinetguru.com/2016/04/configuring-mail-settings/7/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mcorlou
Sorry I just released now that you are using associated domains while I thought before that you where using protected domains (I confused them). In fact I didn't used them before but instead I always configured the additional domains as protected domains, that's why I didn't have issues with DKIM for additional domains.
Regarding associated domains, I can read in admin guide that the associated domain uses the same DKIM as the parent.
FortiMail performs DKIM signing for an associated domain with its parent domain DKIM key. You must publish the DKIM public key for the associated domain in order for the receiving MTA to validate the DKIM signature.
So I understand from this (and I guess you agree) that you have to insert the same dkim public key in DNS of the protected domain and DNS of the associated domains.
Like this, on main domain:
default._domainkey.maindomain.com. 14400 IN TXT "v=DKIM1; k=rsa; p=XYZ..."
And on associated domain:
default._domainkey.associateddomain.com. 14400 IN TXT "v=DKIM1; k=rsa; p=XYZ..."
If this is what you did than please try send an e-mail to mail-tester.com from an associated domain and then the diagnostic it provides about your dkim signing. I hope it will provide further information about your issue.
You may also check if the dkim public key record is valid using this tool: https://dkimcore.org/tools/keycheck.html
Hope it helps.
AEK
AEK
Created on 07-10-2024 12:23 AM Edited on 07-10-2024 12:34 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved, there was an error in the DKIM key declaration on the DNS zone... some one as made a bad copy/paste.
Thank you for your time
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Forti Client EMS + LDAP SAMBA 62 Views
- BGP over IPSec VPN Tunnel Query 90 Views
- Installed the new update (7.4.4) since... 176 Views
- redirect internet traffic over IPSec tunnel 242 Views
- Problems when registering FortiClient to the... 99 Views
Labels
-
FortiGate
7,509 -
FortiClient
1,477 -
5.2
801 -
FortiManager
641 -
5.4
639 -
FortiAnalyzer
487 -
6.0
416 -
FortiAP
390 -
FortiSwitch
388 -
5.6
362 -
FortiClient EMS
319 -
FortiMail
288 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
182 -
FortiNAC
139 -
SSL-VPN
131 -
6.4
128 -
IPsec
127 -
FortiGuard
122 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
91 -
FortiToken
80 -
Customer Service
73 -
Wireless Controller
68 -
SD-WAN
66 -
4.0MR3
64 -
FortiProxy
54 -
FortiEDR
48 -
FortiADC
48 -
FortiAuthenticator
47 -
Fortivoice
46 -
FortiDNS
43 -
Firewall policy
41 -
FortiSandbox
39 -
FortiExtender
39 -
VLAN
37 -
FortiGate v5.4
36 -
High Availability
34 -
FortiSwitch v6.4
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
Routing
24 -
FortiConverter
23 -
Interface
23 -
SAML
22 -
Certificate
22 -
Authentication
21 -
FortiSwitch v6.2
20 -
NAT
20 -
VDOM
19 -
FortiLink
19 -
FortiPortal
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Application control
14 -
SSO
13 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
WAN optimization
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiPAM
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
Explicit proxy
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet service database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1276 | |
| 943 | |
| 676 | |
| 441 | |
| 177 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.