DKIM permission denied


I’ve not looked at the default group membership but I suspect you will need to go looser. works well.


Does as well, thank you very much, I’ve already sent a message and got an initial result, recorded it for later.


I have changed dkim.key to admin:admin rw-r–r-- but as my DNS records are not being updated, owing to some change somewhere I must have made somewhen, I have decided to directly edit my DNS entries to try and get this up and running.

I have started with the SPF record which now looks like this in my pre-DNS DNS TXT file (I’m waiting on the DNS to update, too much other work on to immediately run the DNS update via Symbiosis).

# SPF attempt 1
#  IN TXT "v=spf1 +mx +a ip4:x.x.x.x/32 ip4:y.y.y.y/32 ?all"

Hopefully this will do the trick, the IPs are single IP addresses (/32), representing my two offices.

Next up will be DKIM DNS stuff, and suggestions for that would eb greatly appreciated, although I will be researching it myself, and will update this thread when and if I’m confident enough to post it.


It may be easier to backup & delete the config/dns/domain.txt file and let symbiosis do its automagic with dkim and spf, etc. Alternatively, the symbiosis dns-update script can probably be manually run with --force (& --verbose) with the domain.

It’s not as literal as that. I think it requires tinydns format and encoding. E.g. this sets up a(n aggressive) TXT record…

# SPF records
' ip4\072217.151.97.225/29 ip4\072213.138.100.55 ip6\0722001\07241c8\07251\07237\072fcff\072ff\072fe00\072445b -all:300


Oof! That did it!

Okay, so I simply moved the old config/dns/domain.txt to config/dns/domain/domain.txt~, then ran symbiosis-dns-generate --verbose and my DNS text file has been recreated with all the good stuff in there (SPF, DKIM, DMARC).

I did receive a couple of errors whilst generating the DNS entries, not sure if it’s a problem:

Configuring site for the first time
    Writing snippet to /srv/
    /usr/lib/ruby/vendor_ruby/erubis/enhancer.rb:517: warning: instance variable @prefixrexp not initialized
    /usr/lib/ruby/vendor_ruby/symbiosis/domain/dkim.rb:25: warning: instance variable @dkim_key not initialized
    Writing data to /root/BytemarkDNS/data/.mail......tmp
    Renaming /root/BytemarkDNS/data/.mail.......tmp to /root/BytemarkDNS/data/mail......txt
    Writing data to /root/BytemarkDNS/data/.......tmp
    Renaming /root/BytemarkDNS/data/.......tmp to /root/BytemarkDNS/data/

Definitely Ruby errors, but the effect? I dunno, non-initialised looks like Warnings to me rather than Errors.

I will resend another test email in another hour or so, and hopefully it’ll be working as expected.


Just to advise, I have now sent another email test to Mail-Tester and the results are in!

8.2/10, vast improvement on 3.2/10. Pyzor check let me down in the end, but then I guess that what happens when you put “testing” all over the mail.


It’s been that way for years and is safely ignored, apparently. :wink:

(I think there was some talk on github about hiding the warnings, at some point).


Hi, you can always email our support address, and ask us to look at the headers for you. We don’t bite :wink:


I shall do that. Tomorrow. :slight_smile:


Email sent, got the auto-reply, but no hurry.

Anyway, I found this in my mailbox, but I thought this wasn’t possible now that I had my SPF & DKIM in place?

Return-path: <>
Envelope-to: Received: from []
by with esmtp (Exim 4.89)
(envelope-from <mcallister@com>) id 1gtWDf-0000N0-T4 for;
Tue, 12 Feb 2019 11:27:23 +0000
Message-ID: <>
From: <>
To: <>
Subject: Votre compte Date: 13 Feb 2019 04:15:29 +0800
MIME-Version: 1.0
Content-type: multipart/alternative; boundary="---B819A81BF409AA47E657E40BF655B819"
X-Mailer: Ginlxfhi kmyedb
X-Spam-Score: 17.6
X-Spam-Bar: +++++++++++++++++ X-Spam-Status: spam X-Anti-Virus: clean

Note that I have obfucated the vital server details. Any thoughts on why I would still receive this? I assumed it would be rejected…


I’m assuming that the abusive host spoofed your address and you’re wondering why symbiosis didn’t reject the message due to invalid spf.

spf, dkim, dmarc are basic attempts to tell the world that you might be trustworthy - and improve the chances of your outbound landing where you want it to.

Rejecting on spf & dkim is risky because things change during transit (sender rewriting may or may not take place during transit, headers change, etc.) and symbiosis is rightly conservative with its default spf policy and in what it accepts.

In this case, I’d argue that it should reject because someone non-local, non-auth, is spoofing your sender address – but that’s a separate policy decision, nowt to do with spf.

(The IP is listed on many dnsbl, including zen, so I’m surprised it wasn’t rejected on that basis).


Gosh golly, I feel so lacking in knowledge right about now. :expressionless:

Still confuses me that they can send that, and still be allegedly from my vhost. But I don’t have any dnsbl hooked up owing to the fact that they don’t like free accounts from business, and as I’m a business I don’t feel legit hitting their servers all the time without paying for an account, which I can ill afford right now.

So, they can still send as if from my vhost, but they won’t have the SPF, DKIM and all that whizz-bang in their headers? If I’m consuming this information correctly.


I just did that, this is the response I got:

Thanks for contacting Bytemark support. May I recommend for testing and improving the deliverability of your emails.

It’d be funny if it wasn’t oh so ironic.


If it’s any help, everybody lacks knowledge, permanently. :slight_smile:

It’s a policy decision. You (symbiosis) are in full control of what you chose to accept. I think it should be junked but not because of spf or dkim.

Noble. Spamhaus is one of the finest things on the Internet. Looking now, the Spamhaus Usage Terms are slightly ambiguous when it comes to “non-commercial” – they clearly want to exclude the likes of anti-spam appliance vendors but I’m not sure about, say, web design/hosting services where email is explicitly charged. They look difficult to contact but I’ll try and find out. Anyway, you’re free to use the service for your own company email so I’d give it a spin there, right now. For other domains, barracuda is a good bet but that’ll require a tweak: Email defences; additional DNS RBL.

Another option is adding the free SaneSecurity signatures to clamav - Clamav: adding Sanesecurity signatures. I’ve only run this on a 2Gb machine where it’s working well – 70+ rejections showing in the logs recently.

Yup. Spf/dkim/dmarc primarily benefits outbound deliverability…

I think your best course of action is to rev up dns rbl. Running without zen is almost unthinkable. :slight_smile:


Thank you for the clarifications, much appreciated.

Going to fire up the old spamhaus then. :slight_smile:
Following the Symbiosis Email Guide seemed pretty straightforward, will keep an eye on the logs again.

As for the DNS RBL and ClamAV stuff, something for another time, perhaps.

That other time was late last night (already noted above), when I started with zen spamhaus, and my goodness, it’s incredible, I can see how it’s unthinkable not running it, given the success rate of rejects.


Oh, I’m sorry about that. I’ll try to find out what happened there.


In my experience, they will contact you if they consider that your usage is above average. This is what happened us. They then charge you based on the number of email addresses you are supporting. I’ve continued to pay because I think they are very worthy of support.


Ah, thanks. (I wonder how they got in touch). I’m surprised they use number of addresses as a metric.

I imagine I’ve been well under the usage limits so I’ve never had to think about it, until now. :wink: Yes, they’re awesome. I’m fairly sure I donated but that was a while back.


I’ve set it to admin:admin rw-r----- for now, I see no reason why world should have read access

I’ve just had a similar problem. The “permission denied” log entry showed UID=104 and GID=106, belonging to Debian-exim, which is still unable to read the file with the above settings. I changed it to
admin:Debian-exim rw-r-----
and DKIM is working now.
I think the Symbiosis documentation should have mentioned this!


It appears I first posted on this forum in 2005, and last posted in 2012. So that’s going back a bit!

I’ve recently created by first cloud VM, and am using Symbiosis - finally moving away from ‘legacy’ Bytemark server.

Anyway, I too got the same ‘exim can’t read DKIM key’ error in the exim logs after creating the key according for Symbiosis docs. Exim runs as ‘Debian-exim:Debian-exim’, so that’s the user/group that needs to be able to read it.

Like anahata, I fixed it by setting the key file to:
admin:Debian-exim rw-r-----

While writing, the Symbiosis docs for the openssl command to create the key don’t work in Stretch - needs fiddling around in the man page so find the correct equivalent command. But that’s for another form topic.