Diagnosing DKIM issues: dkim=neutral reason="invalid (public key: not available)"

A short howto on identifying issues with DKIM not signing

For example a client had the following error:

Authentication-Results: REDACTED; dkim=neutral reason="invalid (public key: not available)" header.d=REDACTED

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=REDACTED;
h=subject:content-type:from:reply-to:to:content-transfer-encoding:cc: content-type:from:subject:to;
s=REDACTED; bh=REDACTED; b=REDACTED

Note that the above domain and signatures are "REDACTED" So that we protect who we are talking about, let's use the ottenheimer.com server instead to show how to diagnose this issue:

The mail server signs an email with a private key and the receiving server has to know how to get that corresponding public key. When you receive an email the DKIM-Signature header has two parts that are key

d=DOMAIN and s=PREFIX

These are the key parts needed for the receiving mail server to validate the signature. For example an email from the mail server for ottenheimer.com will have

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ottenheimer.com;
h=subject:content-type:from:reply-to:to:content-transfer-encoding:cc: content-type:from:subject:to;
s=mailkey; bh=REDACTED; b=REDACTED

So we can verify that the public key is setup properly with either

dig txt mailkey._domainkey.ottenheimer.com

host -t txt mailkey._domainkey.ottenheimer.com

both of which return

mailkey._domainkey.ottenheimer.com descriptive text "v=DKIM1; k=rsa; p=MIIBI
jANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk68cXpCVZFsv4sxFjtbaxzeNGqb89eqCmm5OmzzoyjbSFtGLMUDyc1L0OJoP3/pniR
ZtLW2n7Q8UqEGHgsrQQtRjV7LTai4q9F42z8klgMT5ol5igv6cgp1UzoTNHjLeHacH/NJr4kUh8lzhVesBV/Eq59uaPaFnMzsBBendBRJ
Xh1VQo9jN/HzpzqEBWRrQu" "2OygTgjSq/DB5qoa0CFE932UosYDG+Hs2nO6AGJsuIUgs5JWALcix+K9qhGELdNQAC4QCOsu10tWEKl6
FQXf1uXau3ZuZiUJnCr/8RdystJp7LUDZaD4lFk55TkTgb/KN2crmrtfJFjk+dlUSP10QIDAQAB"

(note: mailkey is not the actual DNS entry here, but shortened for readability).

In this case when we did

host -t txt REDACTED._domainkey.REDACTED

we saw no public key, therefore identified that although the client had setup their mail server properly, they did not setup their DNS properly.