This is the error I saw when I realised that my messages were not being signed – the DKIM headers were missing entirely.
dkimproxy.out: signing error: Error: cannot read /var/lib/dkimproxy/private.key: Permission denied
The Debian package installer gives this file read access by the ssl-cert
group and the dkimproxy
user is correctly added to the ssl-cert
group. However the process dkimproxy.out
runs as user:group dkimproxy:dkimproxy
, but the Perl process does not seem to be running with the effective group id that includes the secondary groups (see ‘man 3 initgroups
‘).
There are two simple fixes. The first option is to change the group under which dkimproxy.out runs by editing /etc/default/dkimproxy to include the line: –
DKIMPROXYGROUP=ssl-cert
The second is to simply change the group ownership of the private key file: –
sudo chgrp dkimproxy /var/lib/dkimproxy/private.key
This second option is my favoured solution, because the proxy process gets no broader access to other files belonging to the ssl-cert group.
Re-send a message to test.
dkimproxy.out: DKIM signing - signed; message-id=<ca5e2aebc79d28a67 ...
Success! To check that the DKIM signature actually verifies, SparkPost have a really nice tool that provides an address to send to, and reports back any DKIM header problems with the emails you send there.