Server Fault Asked on January 14, 2021
In some-not-all received emails — notably ONLY those sent via ‘bulk’ services — I get a DKIM fail: “signature verification failed”. Here’s one example:
Received message headers
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.example.com 3rfbq51KBTz2xF0
Authentication-Results: dkim.example.com/3rfbq51KBTz2xF0;
dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=proxyvote.com [email protected] header.b=XjB07H1q
But checking in ‘ dkim-stats’, it says “PASSED”
opendkim-stats dkim-stats
Job 3rfbq51KBTz2xF0 at edge (size 12124)
received via 127.0.0.1 at Wed Jun 29 01:45:37 2016
from domain = 'proxyvote.com'
Signature 1 from proxyvote.com
PASSED
signed bytes: (whole message)
Signature properties:
Key properties:
DNSSEC status: INSECURE
Here’s the accompanying dump for that message
cat dkim.3rfbq51KBTz2xF0.4dDfiv
Date: Wed, 29 Jun 2016 03:10:40 -0400
From: "PROXYVOTE" <[email protected]>
To: [email protected]
Subject: Semi-Annual Report
message-id: <[email protected]>
Reply-To: "PROXYVOTE" <[email protected]>
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=proxyvote.com; [email protected]; q=dns/txt;
s=edppsuirna01; t=1467189937; x=1498725937;
h=date:from:to:subject:message-id:reply-to:mime-version;
bh=H5lkhcTIjxd0B3N4Kdj314qELLpSKZvAAtPAS+XcM1A=;
Why do I get both ‘fail’ AND ‘pass’, and what do I need to do to fix this?
Jason, is it possible for you to change the c=simple/simple to c=relaxedrelaxed? I seen a lot of times where different DKIM Validators struggle with the whitespace folding. You say it's only failing with "Bulk", so that tells me you are sending this out through some SMTP Service, which makes me more inclined to believe the headers are being rewritten and the whitespace folding of simple/simple is the culprit. You can also run Mail Test on it, which will test it with 4 different DKIM validator - If it fails all four. It's probably what's going on, when you send through that bulk service.
Since your receiving the email, you can still re-process it and check the DKIM with another validator. This is what I do for sanity checks when I think my email server might be processing DKIM wrong. I'm using Limilabs Mail.dll to do handle the sending of the EML, but you can use whatever you want, in whatever programming language you're familiar with. DKIM stays intact and you'll be able to validate it against other DKIM Validators using online auto-responders.
Dim email As IMail
Dim mb As New Limilabs.Mail.MailBuilder
Dim smtpMail As SmtpMail = SmtpMail.CreateFromEmlFile("D:ValidateDKIMBadDKIM.eml")
email = mb.CreateFromEml(smtpMail.RawEmlData)
Using client As New Smtp()
client.ConnectSSL("mailserver", 465)
client.Login("mailserver", "password")
Dim stream As System.Net.Security.SslStream = client.ReadStream()
Dim reader As IO.StreamReader = New IO.StreamReader(stream)
client.SendMessage(New SmtpMail("Mail Check", { "[email protected]","[email protected]"}, smtpMail.RawEmlData))
client.Close()
End Using
Answered by Henry on January 14, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP