Fixed How often does the VerifyEmailDkim job run?

[iaresee]

I'm trying to get DKIM set up on my forum.

DNS is set up and, afaict, propagated pretty thoroughly at this point.

Dmarcian thinks my DKIM setup for selector xenforo is correct. But test emails set to mail-tester.com are failing the DKIM sig check: https://www.mail-tester.com/test-vrk4rdz4f&reloaded=1

The forum admin panel is still showing "Attempting to verify your DNS record but it may take up to 24 hours for DNS changes to propagate. If it has been longer, you may need to verify your entries." Which led me down the path of looking for where, in the code, verification is done. I found the VerifyEmailDkim job but it does not appear to be a job I can kick off.

How often is that verification job, VerifyEmailDkim, run by the forum software? Is there a way for me to execute it and check the log output from the job run?

I feel like the last step is getting the email options for dkim set up. And my feeling is that I'm getting DKIM signature failures because of the lack of verified:true in the email options here:

MariaDB [xenforo_forum]> select option_value from xf_option where option_id = "emailDkim";
+----------------------------------------------------------------------------------------------------------------------+
| option_value                                                                                                         |
+----------------------------------------------------------------------------------------------------------------------+
| {"enabled":true,"verified":false,"failed":false,"domain":"fractalaudio.com","privateKey":"emailDkim-wOi1IPkJBq.key"} |
+----------------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

Note that the keyfile does exist.

I'm somewhat tempted to flip that bit by hand...

Thanks in advance for any troubleshooting help here!

- Ian

 

[iaresee]

Looking at Mail.php, it doesn't look like it cares if the setup is verified or not. Just enabled. So I believe my server is trying to sign my emails.

But why it's getting the signature wrong isn't apparent at this point. Is there more debugging I can enable server-side to sort this out? SwiftMailer code isn't very enlightening to read here.

 

[Kirby]

The verify job will run (approximately) 5, 30 minutes and 1, 12, 24 hours after the DKIM setup has been performed:

XF\Job\VerifyEmailDkim::getNextAttemptDate

protected function getNextAttemptDate(int $previousAttempts)
{
    switch ($previousAttempts)
    {
        case 0: $delay = 5 * 60; break; // 5 minutes
        case 1: $delay = 30 * 60; break; // 30 minutes
        case 2: $delay = 3600; break; // 1 hour
        case 3: $delay = 12 * 60 * 60; break; // 12 hours
        case 4: $delay = 24 * 60 * 60; break; // 24 hours
        default: return null; // give up
    }

    return time() + $delay;
}

XenForo indeed doesn't care if the DNS record is verified, it immediately starts to sign emails once the setup has been completed (and even doesn't stop to do so if the verifcation fails).
This seems like (another) bad implementation detail, as this could cause emails to be signed without correspondig public key being published successfully, effectively increasing the likeliness for those emails to be flagged as spam.

DKIM authentication fails ins some scenarios

Steps to reproduce Setup an installation at domain.com/xf-install-1, configure it to send emails as xf-install-1@domain.com and activate DKIM After activation is completed and DNS has propagated setup another installation at domain.com/xf-install-2, configure it to send emails as...

xenforo.com

Lack of interest - DKIM: Add an option to regenerate/update keys

As per current recommendation, DKIM keys should be changed at least every 6 months. Unfortunately, this is not really possible with the current implementation - the only option woulde be to disable DIKM and re-enable it afterwards. My suggestion is to add a button "Regenerate Key" (ro smth...

xenforo.com

DKIM signing causes serious performance issue when sending emails

In order to test the performance impact of DKIM signing I wrote a little test script: $dir = __DIR__; require($dir . '/src/XF.php'); XF::start($dir); $app = \XF::setupApp('XF\Pub\App'); $options = $app->options(); $mailer = $app->mailer(); $transport = $mailer->getDefaultTransport()...

xenforo.com

 

[iaresee]

@Kirby thank you very much. At least I know it's trying to set that flag.

I do think there's something wrong with the signing side of things. The DKIM record is fine and the emails are definitely getting signed. But signature verification fails.

I'm using the PHP built-in mail system to send emails FWIW.

I'm certain I don't have DKIM setup at the sendmail level on my host system.

 

[Kirby]

Is there any chance that one of the intermediate mailservers (you've got Exim and Postfix involved?) is messing with one of the signed headers (like Message-Id)?
That would explain why the signature check fails.

I'd try to log an email as it is generated by XF and compare that to what is actually being received by mail-tester.com

 

[iaresee]

Ist there any chance that one of the intermediate mailservers (you've got Exim and Postfix involved?) is messing with one of the signed headers (like Message-Id)?

Not likely, but I can dig into this.

I'd try to log an email as it is generated by XF and compare that to what is actually being received by mail-tester.com

I'll try that. Not entirely certain how to do that, but I'll poke around. Xenforo being a bit of black box here and all.

 

[Kirby]

You can log emails to files:

https://xenforo.com/community/threads/override-options-from-config-php.181990/#post-1437628

 

[iaresee]

You can log emails to a file:

https://xenforo.com/community/threads/override-options-from-config-php.181990/#post-1437628

Ah! Nice. Is that logging snippet supposed to go in src/config.php?

 

[Kirby]

Yup

 

[iaresee]

To close the loop:

I disabled Xenforo’s DKIM feature and instead set up DKIM on sendmail at my server layer.

Took a bunch to get that working (and it was specific to my server and DNS setup) but once I got the DNS DKIM records correct, using sendmail in Xenforo to send the email saw them signed correctly.

Thank you for the clues to solving this @AndyB and @Kirby!