This is the error I saw when I realised that my messages were not being signed – the DKIM headers were missing entirely.
dkimproxy.out: signing error: Error: cannot read /var/lib/dkimproxy/private.key: Permission denied
The Debian package installer gives this file read access by the
ssl-cert group and the
dkimproxy user is correctly added to the
ssl-cert group. However the process
dkimproxy.out runs as user:group
dkimproxy:dkimproxy, but the Perl process does not seem to be running with the effective group id that includes the secondary groups (see ‘
man 3 initgroups‘).
There are two simple fixes. The first option is to change the group under which dkimproxy.out runs by editing /etc/default/dkimproxy to include the line: –
The second is to simply change the group ownership of the private key file: –
sudo chgrp dkimproxy /var/lib/dkimproxy/private.key
This second option is my favoured solution, because the proxy process gets no broader access to other files belonging to the ssl-cert group.
Re-send a message to test.
dkimproxy.out: DKIM signing - signed; message-id=<ca5e2aebc79d28a67 ...
Success! To check that the DKIM signature actually verifies, SparkPost have a really nice tool that provides an address to send to, and reports back any DKIM header problems with the emails you send there.