DKIM signing skipped

[barnabehvrd]

DKIM signing skipped for authenticated users / local networks

Description

Outgoing emails are not being signed with DKIM when sent from authenticated users (e.g., via Roundcube webmail). This causes DMARC failures when receiving servers check the signature.

Steps to reproduce

1. Configure a domain with DKIM enabled via the admin interface
2. Verify DKIM key is correctly stored in Redis (dkim_keys hash)
3. Verify DNS TXT record is correctly configured
4. Send an email to an external address (e.g., mail-tester.com)
5. Check Rspamd logs

Expected behavior

Outgoing emails should be signed with DKIM.

Actual behavior

Emails are not signed. Rspamd logs show:

proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
lua; dmarc.lua:460: skip DMARC checks as either SPF or DKIM were not checked

Root cause

In dkim_signing.conf, the options sign_authenticated and sign_local are not set, so Rspamd defaults to skipping DKIM signing for:

• Authenticated users
• Connections from local/Docker networks

Since all traffic in a Docker setup comes from internal networks (172.x.x.x), DKIM is never applied to outgoing mail.

Suggested fix

Add the following to dkim_signing.conf:

sign_authenticated = true;
sign_local = true;

Environment

• docker-mailserver version: v7.3.2
• Rspamd container: jeboehm/mailserver-filter:latest

[jeboehm]

Hi @barnabehvrd

the quoted log does not indicate that the message won’t be signed. You need to check which symbols the message actually gets — DKIM_SIGNED is what you want.
That being said, I cannot reproduce your issue.
Please send an email to an external address and check the headers of the received message. You should find a DKIM-Signature header there.

#9(rspamd_proxy) <e2db57>; proxy; rspamd_task_write_log: id: <17611cf7e0aa3af43b5f3f6be2dd0ba6@mydomain.invalid>, qid: <0536429>, ip: 10.42.0.153, user: hello@mydomain.invalid, from: <hello@mydomain.invalid>, (default: F (no action): [-0.10/15.00] [MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},DKIM_SIGNED(0.00){mydomain.invalid:s=dkim;},FREEMAIL_ENVRCPT(0.00){web.de;},FREEMAIL_T O(0.00){web.de;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},LOCAL_OUTBOUND(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;},MISSING_XM_UA(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 329, time: 395.015ms, dns req: 14, digest: <2fac72d84ec879620eff2ec8d9ebebee>, rcpts: <rcpt@otherdomain.invalid>, mime_rcpts: <rcpt@otherdomain.invalid>

[barnabehvrd]

Sorry for the late reply !

Here is the header when sending from roundcube :

Received: by mail-tester.com (Postfix, from userid 998)
	id 448C210EABD; Wed, 28 Jan 2026 17:01:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on oci-mt1
X-Spam-Level: 
X-Spam-Status: No/-0.0/5.0
X-Spam-Test-Scores: HTML_MESSAGE=0.001,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001
X-Spam-Last-External-IP: 82.66.203.187
X-Spam-Last-External-HELO: mail.my.domain
X-Spam-Last-External-rDNS: mail.my.domain
X-Spam-Date-of-Scan: Wed, 28 Jan 2026 17:01:11 +0000
X-Spam-Report: 
	* -0.0 SPF_PASS SPF: sender matches SPF record
	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
	*  0.0 HTML_MESSAGE BODY: HTML included in message
DMARC-Filter: OpenDMARC Filter v1.4.2 mail-tester.com 9A0C010DB6C
Authentication-Results: mail-tester.com; dmarc=fail (p=reject dis=none) header.from=my.domain
Received: from mail.my.domain (mail.my.domain [82.66.203.187])
	by mail-tester.com (Postfix) with ESMTPS id 9A0C010DB6C
	for <test-tssbuaxhx@srv1.mail-tester.com>; Wed, 28 Jan 2026 17:01:09 +0000 (UTC)
Received: from mail.my.domain (docker-mail-web-1.docker-mail_default [172.19.0.8])
	by mail.my.domain (Postfix) with ESMTPSA id 2666EA6860F
	for <test-tssbuaxhx@srv1.mail-tester.com>; Wed, 28 Jan 2026 17:01:09 +0000 (UTC)
MIME-Version: 1.0
Date: Wed, 28 Jan 2026 18:01:08 +0100
From: hello@my.domain
To: test-tssbuaxhx@srv1.mail-tester.com
Subject: Test
Message-ID: <0dc55fd0751d9bb074add34366e63fa8@my.domain>
X-Sender: hello@my.domain
Content-Type: multipart/alternative;
 boundary="=_52b3f131944db4c37f3cff6dd814c1a7"

I have replaced my domain with my.domain

RSpamd have the following logs:

filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; proxy; rspamd_message_parse: loaded message; id: <7b64ee03d70f788962fa0e43102ddeff@my.domain>; queue-id: <4143DA68613>; size: 805; checksum: <2f1ca9412cbde623e7a3661328d5ccd9>
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; proxy; rspamd_mime_part_detect_language: detected part language: hu
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; proxy; rspamd_mime_part_detect_language: detected part language: hu
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; lua; greylist.lua:256: skip greylisting for local networks and/or authorized users
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; lua; spf.lua:189: skip SPF checks for local networks and authorized users
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; lua; dmarc.lua:460: skip DMARC checks as either SPF or DKIM were not checked
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; lua; once_received.lua:51: Skipping once_received for authenticated user or local network
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; lua; greylist.lua:388: Score too low - skip greylisting
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; proxy; rspamd_task_write_log: id: <7b64ee03d70f788962fa0e43102ddeff@my.domain>, qid: <4143DA68613>, ip: 172.19.0.8, user: hello@my.domain, from: <hello@my.domain>, (default: F (no action): [0.40/15.00] [R_PARTS_DIFFER(0.50){100.0%;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00){},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},LOCAL_OUTBOUND(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},MISSING_XM_UA(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 805, time: 2.196ms, dns req: 0, digest: <2f1ca9412cbde623e7a3661328d5ccd9>, rcpts: <test-51wxv9zm5@srv1.mail-tester.com>, mime_rcpts: <test-51wxv9zm5@srv1.mail-tester.com>
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ad63b1>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 180 regexps total, 43 regexps cached, 0B scanned using pcre, 571B scanned total
filter-1     | 2026-01-28 17:03:22 #9(rspamd_proxy) <ec40b4>; proxy; proxy_milter_finish_handler: finished milter connection

And this is the logs of Rspamd when using SMTP:

filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; proxy; rspamd_message_parse: loaded message; id: <20260128182410.2265167@instance-20230312-1848>; queue-id: <40DABA6860F>; size: 270; checksum: <6b1236780e65d44b3fde7e5d76a6bf49>
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; proxy; rspamd_mime_part_detect_language: detected part language: en
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; lua; greylist.lua:256: skip greylisting for local networks and/or authorized users
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; lua; spf.lua:189: skip SPF checks for local networks and authorized users
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; lua; dmarc.lua:460: skip DMARC checks as either SPF or DKIM were not checked
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; lua; once_received.lua:51: Skipping once_received for authenticated user or local network
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; lua; greylist.lua:388: Score too low - skip greylisting
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; proxy; rspamd_task_write_log: id: <20260128182410.2265167@instance-20230312-1848>, qid: <40DABA6860F>, ip: 130.61.140.144, user: hello@my.domain, from: <hello@my.domain>, (default: F (no action): [0.90/15.00] [MID_RHS_NOT_FQDN(0.50){},R_MISSING_CHARSET(0.50){},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},LOCAL_OUTBOUND(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 270, time: 2.207ms, dns req: 0, digest: <6b1236780e65d44b3fde7e5d76a6bf49>, rcpts: <test-rxj87dtit@srv1.mail-tester.com>, mime_rcpts: <test-rxj87dtit@srv1.mail-tester.com>
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <336b0f>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 180 regexps total, 57 regexps cached, 0B scanned using pcre, 337B scanned total
filter-1     | 2026-01-28 17:24:12 #9(rspamd_proxy) <bdd4cc>; proxy; proxy_milter_finish_handler: finished milter connection

DKIM is still skiped, even when my IP is external.

I had to add a bind mount into my dockerfile :

services:
  filter:
    image: jeboehm/mailserver-filter:latest
 (...)
  volumes:
    - data-filter:/var/lib/rspamd
    - /docker-mail/config/rspamd/dkim_signing.conf:/etc/rspamd/local.d/dkim_signing.conf:ro

dkim_signing.conf contains the following :

allow_local = true;
sign_local = true;
sign_authenticated = true;
use_redis = true;
key_prefix = "dkim_keys";
selector = "dkim";
use_domain = "header";

With this configuration, emails are DKIM-signed (with both roundcube & SMTP) :

filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; proxy; rspamd_message_parse: loaded message; id: <20260128183120.2266444@instance-20230312-1848>; queue-id: <4C469A6860F>; size: 253; checksum: <6b1236780e65d44b3fde7e5d76a6bf49>
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; proxy; rspamd_mime_part_detect_language: detected part language: en
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; lua; greylist.lua:256: skip greylisting for local networks and/or authorized users
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; lua; spf.lua:189: skip SPF checks for local networks and authorized users
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; lua; dmarc.lua:460: skip DMARC checks as either SPF or DKIM were not checked
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; lua; once_received.lua:51: Skipping once_received for authenticated user or local network
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; lua; greylist.lua:388: Score too low - skip greylisting
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; proxy; rspamd_task_write_log: id: <20260128183120.2266444@instance-20230312-1848>, qid: <4C469A6860F>, ip: 130.61.140.144, user: hello@my.domain, from: <hello@my.domain>, (default: F (no action): [0.90/15.00] [MID_RHS_NOT_FQDN(0.50){},R_MISSING_CHARSET(0.50){},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ASN(0.00){asn:31898, ipnet:130.61.128.0/17, country:US;},DKIM_SIGNED(0.00){my.domain:s=dkim;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},LOCAL_OUTBOUND(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 253, time: 438.037ms, dns req: 13, digest: <6b1236780e65d44b3fde7e5d76a6bf49>, rcpts: <hello@my.domain>, mime_rcpts: <hello@my.domain>
filter-1     | 2026-01-28 17:31:22 #9(rspamd_proxy) <fb78ac>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 180 regexps total, 57 regexps cached, 0B scanned using pcre, 303B scanned total

The used images are the following:

CONTAINER                 REPOSITORY                     TAG                 PLATFORM            IMAGE ID            SIZE                CREATED
docker-mail-db-1          mysql                          lts                 linux/amd64         63e8ae20eaef        233MB               5 days ago
docker-mail-fetchmail-1   ghcr.io/jeboehm/fetchmailmgr   0.4.0               linux/amd64         56c40565046c        58.5MB              3 months ago
docker-mail-filter-1      jeboehm/mailserver-filter      latest              linux/amd64         820b28785481        89.3MB              6 days ago
docker-mail-mda-1         jeboehm/mailserver-mda         latest              linux/amd64         a1273e195843        59.8MB              6 days ago
docker-mail-mta-1         jeboehm/mailserver-mta         latest              linux/amd64         a6afcedbf170        16.3MB              6 days ago
docker-mail-redis-1       redis                          8.2-alpine          linux/amd64         28c9c4d75969        27.5MB              2 months ago
docker-mail-unbound-1     jeboehm/mailserver-unbound     latest              linux/amd64         fabf968ed796        9.5MB               6 days ago
docker-mail-web-1         jeboehm/mailserver-web         latest              linux/amd64         41464888ef41        73.7MB              6 days ago

[jeboehm]

Thank you for the information!
What's now missing from your configuration is

check_pubkey = true;
allow_pubkey_mismatch = false;

which prevents rspamd from signing when the dns records aren't correct.

Is the dns wizard / dkim config in mailserver-admin green?

sign_authenticated = true;
sign_local = true;

These are already the defaults.