0

We have several email servers that send out legitmate email via PostFix and use openDKIM.

Recently we've had some recievers claim the DKIM record can not be verified so we've tried various tools such as mail-tester.com, isnotspam.com etc and see the same results, that some emails fail the DKIM check and others pass.

The same server can send one email with a DKIM pass, it can send another email and the DKIM fail. It seems to be the email itself that dictates whether the DKIM will pass or not. I can replicate this with the same emails everytime.

I can't understand this behaviour and wondered if anyone had seen a similar issue. How could the email itself cause a DKIM failure?

dan360
  • 103
  • 2
  • Do the opendkim logs on your server show errors (after increasing verbosity) ? Or if the validation is what fails ; DKIM records are published in DNS and it could be that your authoritative name servers have inconsistent zone data or multiple records for the same resource. Subsequent checks may then succeed or fail because they see different responses when querying your DKIM ... and in the same category see https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns – Bob Oct 01 '20 at 11:47
  • Which headers do you sign? If you sign headers that are expected to be updated, that could cause problems – Håkan Lindqvist Oct 01 '20 at 11:50
  • When you have identified a failing sample and what happened to it, please do add the sample to your question and your insights as an answer (or improve an existing answer)! This can be highly valuable to others running into the same issue. – anx Oct 06 '20 at 12:28

1 Answers1

1

First, rule out issues unrelated to the actual signature

  1. Check the A-R headers: Authentication-Results: host; dkim=fail means the signature failed, but Authentication-Results: host; dkim=permerror might instead just mean the recipient was unable to grab your key.
  2. Check the topmost Received: header not related the the recipient, if that is not you, you are looking at forwarded mail.

Then, determine who caused the signature to break

Grab a copy of the mail as it was submitted (e.g. stored in IMAP Sent folder), grab a copy of the raw mail as it was received, and compare byte by byte.

If the recipient cannot forward the full headers to you, you might be able to reproduce an issue by mailing it to your own box at the same provider, so you can look at the full headers.

a) You are modifying your own mail AFTER you are signing it, invalidating the signature

  1. Are you sending invalid mail, and your mail system is fixing some problems for you, such as adding a missing Date header? Fix/Replace non-compliant MUAs.

  2. Is some software you use for outgoing spam filtering modifying headers you are signing?

Ensure that the order of mail processing software places the signing last, after any such modification.

b) The recipient is modifying your mail BEFORE verifying your signature, therefore unable to verify your signature

Examples I have seen in the wild:

  1. overlong lines have been refolded
  • Apply appropriate folding before sending - though using a relaxes DKIM canonicalization can be sufficient.
  1. some software that does accept recipient addresses case insensitively (typically Microsoft) switched letter case of recipients to their canonical form
  • Updating your address books with the canonical (typically lowercase) spelling!
  1. the recipient mail server encoded Internationalized domain name (IDN) it received as UTF-8
  • This should be obvious because it will only happen with specific domains somewhere in the header. Send non-ASCII domains in idna encoding (xn--..)!
  1. you signed a header that is often legitimately modified by recipients
  • Do not sign headers such as Received or X-Spam-Status!

Note that if you mail server cannot apply the suggested transformation, you can still reject mail that you expect the fail - the sender can then try to use a different mail client or recipient address (or least notice something is wrong).

anx
  • 6,875
  • 4
  • 22
  • 45
  • >> Did someone (typically Microsoft software) mangle letter case in some header? Have long lines been refolded in some invalid manner? - I believe this could be the most likely culprit - hadn't thought of that - will look into this more deeply - thank you. – dan360 Oct 01 '20 at 12:19
  • The email content is being paste from word/outlook which is very poor at markup. I'm fairly confident that either newlines are being missrepresented or lines are longer than allowed or have been folded. Even with relaxed/relaxed this seems to fail. To that end I am marking this as the solution - thanks for your help! – dan360 Oct 01 '20 at 12:46
  • @dan360 even if you cannot get the recipient to quote return you the exact mail he received, you could instead fetch the mail from his sent box and send a mail with mostly equal headers to your account at the same recipient provider. that should give you an example where you can do a proper comparison and root cause analysis. – anx Oct 01 '20 at 13:05