DKIM no signature header on outgoing emails (auto-installer Debian NGINX setup) — amavisd testkeys?

Debian server with NGINX, installed via official ISPConfig auto-installer (get.ispconfig.org script).
Self-hosted mail on mriservice.com (MX: mail.mriservice.com / mr1.mriservice.com, IP 204.12.225.98, Nocix/WholeSale Internet dedicated).

DNS:
- SPF: v=spf1 mx a ~all (passes)
- DMARC: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto[email protected]; etc. (published)
- DKIM public key: default._domainkey.mriservice.com TXT with 2048-bit key (recently generated/shown in panel, added via eNom)

In ISPConfig panel > Email > Domains > mriservice.com > DomainKeys Identified Mail (DKIM) button:
- Generates key pair and shows correct DNS TXT record (no separate "Enable DKIM" checkbox visible).

Outgoing emails: NO DKIM-Signature header added at all.
Tests (mail-tester.com, [email protected]25.com): invalid/no DKIM signature (-3 SpamAssassin penalty).

SSH checks:
- opendkim -V → command not found (expected, since modern ISPConfig uses amavisd for DKIM?)
- amavisd-new is installed and running.

Is DKIM signing handled by amavisd-new in current auto-installer setups?

To diagnose/fix:
1. Run "amavisd-new testkeys" — what should it output if keys are loaded correctly?
2. If no output or error, is $enable_dkim_signing = 1; needed in /etc/amavis/conf.d/50-user?
3. Then regenerate key in panel and restart amavisd-new/postfix?

Multiple domains on server — any per-domain issues?

eNom DNS access separate problem (login flaky, no widespread outage Jan 2026).

Thanks — stuck on this for days despite DNS being correct.

 

Thanks for the reply.
Sorry I got way out over my head on this one.
-------
root@mr1:/# find / -iname Rspamd
/usr/bin/rspamd
/usr/share/rspamd
/usr/share/lintian/overrides/rspamd
/usr/share/doc/rspamd
/usr/lib/rspamd
/var/log/rspamd
/var/lib/rspamd
/run/rspamd
/etc/rspamd
/etc/logrotate.d/rspamd
/etc/init.d/rspamd

My problem is
Your DKIM signature is not valid
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
The DKIM signature of your message is:

v=1;
a=rsa-sha256;
c=relaxed/relaxed;
d=MyDomain.com;
s=default;
t=1767633945;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:to:to:cc:mime-version:mime-version:content-type:content-type:content-transfer-encoding:content-transfer-encoding;
bh=aebk3u0e3gcHaLz8bqsXH96nOURkILWWwrd5GShQTgg=;
b=S7Y7Xpagz81WSSvTZFSXMFNMc+BFVeA7vL6m2dADBFfJqQqK9adKWH8TDLSoIu0qU2nqaonTwuufeBO7aiehfEfM/0MFcG3jBm37EH65ZzLU/tSknlRzgUsVIafwhTOItPSqilIuZgPtBTl22dObqdG9ciDStcr1gqxH3HLUG+z6LYchvxYG/kT0B8ddbpI23qPbccO51oV7l21B37LUp0k9jmxLlJy3LUFIWJRCoBdMvcSqolAfsWnSX/Co+IvH8kb3FG54A7BbyctRcWRA1+iZ28yVrdV8OMiBOTZ0navr1VldxBe51VpUceoyPiAkatwV6n9C6ItM2m7sIOwTkw==
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain mydomain.com using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated
--------
Dns Records

Yes TXT default._domainkey.MyDomain.com. v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwNSSQVkSDlrg07FbwJk9h2WS/w77Kz/xNM4wIc/Ik/Rhx2x9qWwu70ZVVBPpyocJ4MN7RcD6+/+d1WmH4W/+2VdT/VudUNKzrU8HYiTT8UMvFqCm515bzunNR4KYEcCyz2fZn8ep6JQFjEfKUVC0N+eIC68RLGVCUj8nC54tz8TnaJmq+oRnUEjgZ9roA1vZ5SuqP3aQAmR9gLXrhJSUD8w0ruZCQYrs//4TaEsMNlu832/WbnirL9HE4hgCD1iVUdzHTIA4tEWOvLf5Iurgc5Y1ZAQoirVyMRNV0MAAumTZRmlKh1MFl23NLKk9aLO9PnIi412/vAelVjLrL/UGNQIDAQAB 0 3600
Yes TXT MyDomain.com. v=spf1 mx a ~all 0 3600
Yes TXT _dmarc.MyDomain.com. v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto[email protected]; fo=1; adkim=r; aspf=r; pct=100; ri=86400