On a Ubuntu 20.04 VPS, installing opendkim via
sudo apt install opendkim opendkim-tools proceeds as expected, following the steps provided here.
However, upon testing, while e-mails get sent in practice to the targetted mailbox with a very low spam score (3.9) and thus percolate outside of spam filetering,
sudo opendkim-testkey -d domain.tld -s default -vvv
returns unexpected and somewhat contradictory conclusions:
opendkim-testkey: key not secure
opendkim-testkey: key OK
The key is OK, but not secure. This puts into doubt the 'OK' bit. What has to be done to make the key secure?
Update
Following suggestion in comments,
contents of opendkin.conf follow:
Syslog yes
Logwhy yes
UMask 007
Canonicalization relaxed/simple
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
Socket local:/run/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
include
UserID opendkim
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
