TransWikia.com

message headers say dkim = fail, stats say = PASSED. why the conflict, and how to fix?

Server Fault Asked on January 14, 2021

In some-not-all received emails — notably ONLY those sent via ‘bulk’ services — I get a DKIM fail: “signature verification failed”. Here’s one example:

Received message headers
    DKIM-Filter: OpenDKIM Filter v2.10.3 mail.example.com 3rfbq51KBTz2xF0
    Authentication-Results: dkim.example.com/3rfbq51KBTz2xF0;
        dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=proxyvote.com [email protected] header.b=XjB07H1q

But checking in ‘ dkim-stats’, it says “PASSED”

opendkim-stats dkim-stats
    Job 3rfbq51KBTz2xF0 at edge (size 12124)
            received via 127.0.0.1 at Wed Jun 29 01:45:37 2016
            from domain = 'proxyvote.com'
            Signature 1 from proxyvote.com
                    PASSED
                    signed bytes: (whole message)
                    Signature properties: 
                    Key properties:  
                    DNSSEC status: INSECURE

Here’s the accompanying dump for that message

cat dkim.3rfbq51KBTz2xF0.4dDfiv
    Date: Wed, 29 Jun 2016 03:10:40 -0400
    From: "PROXYVOTE"  <[email protected]>
    To:   [email protected]
    Subject: Semi-Annual Report
    message-id: <[email protected]>
    Reply-To: "PROXYVOTE" <[email protected]>
    MIME-Version: 1.0
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
      d=proxyvote.com; [email protected]; q=dns/txt;
      s=edppsuirna01; t=1467189937; x=1498725937;
      h=date:from:to:subject:message-id:reply-to:mime-version;
      bh=H5lkhcTIjxd0B3N4Kdj314qELLpSKZvAAtPAS+XcM1A=;

Why do I get both ‘fail’ AND ‘pass’, and what do I need to do to fix this?

One Answer

Jason, is it possible for you to change the c=simple/simple to c=relaxedrelaxed? I seen a lot of times where different DKIM Validators struggle with the whitespace folding. You say it's only failing with "Bulk", so that tells me you are sending this out through some SMTP Service, which makes me more inclined to believe the headers are being rewritten and the whitespace folding of simple/simple is the culprit. You can also run Mail Test on it, which will test it with 4 different DKIM validator - If it fails all four. It's probably what's going on, when you send through that bulk service.

Updated Section Below

Since your receiving the email, you can still re-process it and check the DKIM with another validator. This is what I do for sanity checks when I think my email server might be processing DKIM wrong. I'm using Limilabs Mail.dll to do handle the sending of the EML, but you can use whatever you want, in whatever programming language you're familiar with. DKIM stays intact and you'll be able to validate it against other DKIM Validators using online auto-responders.

    Dim email As IMail
    Dim mb As New Limilabs.Mail.MailBuilder
    Dim smtpMail As SmtpMail = SmtpMail.CreateFromEmlFile("D:ValidateDKIMBadDKIM.eml")
    email = mb.CreateFromEml(smtpMail.RawEmlData)

     Using client As New Smtp()
            client.ConnectSSL("mailserver", 465)
            client.Login("mailserver", "password")
            Dim stream As System.Net.Security.SslStream = client.ReadStream()

            Dim reader As IO.StreamReader = New IO.StreamReader(stream)
            client.SendMessage(New SmtpMail("Mail Check", { "[email protected]","[email protected]"}, smtpMail.RawEmlData))
            client.Close()
    End Using

Answered by Henry on January 14, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP