OpenDKIM “No Signing Table Match” Error: Troubleshooting DKIM Configuration for Postfix on CentOS

When you see the "no signing table match" error in your /var/log/maillog, it means OpenDKIM couldn't find a matching entry in your SigningTable for the sender address. In your case, emails from test@mail.example.com aren't being signed despite what appears to be proper configuration.

Let's examine your current configuration files:

# KeyTable
default._domainkey.mail.example.com  mail.example.com:default:/etc/opendkim/keys/mail.example.com/default.private

# SigningTable
*@mail.example.com default._domainkey.mail.example.com

# TrustedHosts
127.0.0.1
example.com
mail.example.com

Here are specific areas to verify in your setup:

# 1. Verify file permissions
ls -la /etc/opendkim/keys/mail.example.com/
# The private key should be readable by opendkim user
chown opendkim:opendkim /etc/opendkim/keys/mail.example.com/default.private
chmod 600 /etc/opendkim/keys/mail.example.com/default.private

# 2. Check SELinux context if enabled
ls -Z /etc/opendkim/keys/mail.example.com/
# If needed:
chcon -R -t opendkim_key_t /etc/opendkim/keys/

Consider these additional configuration parameters in /etc/opendkim.conf:

Canonicalization    relaxed/simple
Mode                sv
SubDomains          yes
Socket              inet:8891@localhost
PidFile             /var/run/opendkim/opendkim.pid
AutoRestart         yes
AutoRestartRate     10/1h
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

After making changes, test your configuration:

# Test config syntax
opendkim-testkey

# Verify table lookups
opendkim-testconf -t /etc/opendkim/SigningTable test@mail.example.com

# Check system logs
journalctl -u opendkim --no-pager -n 50

Ensure your Postfix main.cf contains:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters

After any changes, restart services:

systemctl restart opendkim postfix

While not directly related to the signing table error, ensure your DNS is properly configured:

dig +short default._domainkey.mail.example.com TXT

The output should show your public key with proper syntax.

Temporarily increase OpenDKIM logging level in opendkim.conf:

LogWhy              yes
Syslog              yes
SyslogSuccess       yes

Then monitor logs in real-time:

tail -f /var/log/maillog | grep opendkim

When your OpenDKIM logs show "no signature table match for test@mail.example.com", it means OpenDKIM couldn't find a matching entry in your SigningTable for the sender address. Let's examine this systematically.

Your current configuration shows these key elements:

# KeyTable entry
default._domainkey.mail.example.com  mail.example.com:default:/etc/opendkim/keys/mail.example.com/default.private

# SigningTable entry
*@mail.example.com default._domainkey.mail.example.com

# TrustedHosts
127.0.0.1
example.com
mail.example.com

The most common causes for this error are:

Incorrect file permissions on /etc/opendkim/
Mismatch between the sender domain and SigningTable pattern
OpenDKIM service not reloaded after config changes

Run these commands to verify your setup:

# Check file permissions
ls -la /etc/opendkim/keys/mail.example.com/

# Test OpenDKIM configuration
opendkim-testkey -d mail.example.com -s default -vvv

# Verify table loading
opendkim-testconf -v

Here's a more robust configuration that handles edge cases:

# KeyTable with multiple domains
default._domainkey.mail.example.com mail.example.com:default:/etc/opendkim/keys/mail.example.com/default.private
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private

# Expanded SigningTable
*@mail.example.com default._domainkey.mail.example.com
*@example.com default._domainkey.example.com
*.example.com default._domainkey.example.com

Use these commands to pinpoint the issue:

# Check if sender address matches table
opendkim-testtables -t /etc/opendkim/SigningTable -T /etc/opendkim/KeyTable -d test@mail.example.com

# Verify DNS records
dig TXT default._domainkey.mail.example.com

Ensure SELinux isn't blocking access: audit2allow -a
Verify Postfix milter configuration in main.cf
Check for duplicate SigningTable entries

Create this test script to validate your setup:

#!/bin/bash
TEST_EMAIL="test@mail.example.com"
echo "Testing configuration for $TEST_EMAIL"

# Test table matching
echo -n "SigningTable match: "
opendkim-testtables -t /etc/opendkim/SigningTable -T /etc/opendkim/KeyTable -d $TEST_EMAIL

# Test key verification
echo -n "DNS record check: "
dig +short TXT default._domainkey.mail.example.com | grep -i "v=dkim1"

# Test message signing
echo "Quick test message:"
{
  echo "From: $TEST_EMAIL"
  echo "To: recipient@example.com"
  echo "Subject: DKIM Test"
  echo ""
  echo "Test message body"
} | opendkim-testmsg -d mail.example.com -s default -v

ServerDevWorker

OpenDKIM “No Signing Table Match” Error: Troubleshooting DKIM Configuration for Postfix on CentOS

Related Articles