I didn’t realize it was broken, but I fixed it anyway.

While checking something else out, I noticed a number of messages in the mail.log file, and with piqued interest I checked a DMARC report received from Google. They indicated DKIM wasn’t being applied to messages my server sends, even though I tried to make that happen.

A few simple things combined to make it not work.

First, in the configuration for DKIM, I had put wildcards for subdomains, as suggested in an article I followed, but I didn’t put the raw domain. I think I might have thought that the jekewa.com domain might be covered by *.jekewa.com, but I know better. So I added the domains from which e-mail is actually sent, and removed all the subdomain entries.

Then I noticed that the DKIM entries had incorrect selectors in the DNS TXT entries, which meant they were probably built incorrectly. So I spun through all the domains and rebuilt the private keys and correctly aligned the TXT entries.

I tested by sending e-mail to some external sites and checking the DKIM in and out. I had configured all the checks my server does correctly, so when a sending server has their DKIM done right, mine correctly validates, or when they don’t DKIM, mine correctly notes that, too. For most of the domains I tested, the corrected configuration and keys fixed the problem.

For one domain, it took me a bit to realize that I’d set up two keys and was using different keys in the config and DNS. I cleaned that up and got that working, too.

Now GMail passes my messages with SPF, DMARC, and DKIM for all my domains! So little mail passes out for the subdomains that I’m going to leave them off for now (as in I couldn’t find any in the logs yet this year).