0

I get a 6.1/10 score on mail-tester.com, where the DMARC verification is the only relevant penalty (-3).

* Your DKIM signature is valid

* Your message failed the DMARC verification
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

You are not allowed to send a message with this address

DMARC DNS entry found for the domain _dmarc.mail.example.com:

"v=DMARC1;p=reject;rua=mailto:dmarc-reports@example.com"
Verification details:

mail-tester.com; dmarc=fail header.from=mail.example.com
mail-tester.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mail.example.com header.i=no-reply@mail.example.com header.b=MVNy47/y; dkim-atps=neutral
From Domain: mail.example.com
DKIM Domain: mail.example.com

The email is sent via a payed mailjet account via SMTP relay.

This is my DNS config and mailjet reports DKIM and SPF as "ok":

@                        IN TXT "v=spf1 include:_spf.google.com ~all"
_dmarc.example.com.      IN TXT "v=DMARC1;p=none;sp=none;pct=50;adkim=r;aspf=r;"
_dmarc.mail              IN TXT "v=DMARC1;p=reject;rua=mailto:dmarc-reports@example.com"
default2103._domainkey   IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBTlvBdpQXS3+g6rPM4fd" "O5EFHrt6EDRS6HMAzf4yYVsp9JwC145ftSzmw/qwdeW3c+JlwvqAipM2qf//A4HG/tpxV9ASX7Qa" "Yew6QlngiXB+T/ih37NrgUE0B2sUpijQ0n5mVd3sAstOQNPhyg5JeWOiJLLJS7xWbu/zwJ+WMB8h" "Phl5ZLrtfscsB56EawBJS/spGTKdOcq6aNm1yPUYvnWQsbWziuV9Y7NLb1yapauks1Yxug75HA12" "Zf7YTuaHPXuK+BSOSEzSUd5R/Fk7UZ1Ba1uX/OdcNKxZtaI0oYePHp9xzSMlWrj2RGbQP9WCKA0R" "HPHEKIwchsqXbIW6QIDAQAB" 
mail                     IN TXT "v=spf1 include:spf.mailjet.com -all"
mailjet._bf00f643.mail   IN TXT bf00f643e7c8377f55faab9307581acd
mailjet._domainkey.mail  IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs9LUxwgF8P0uV+ulltAAyITc3aRqgsAVlr2ZygTnuYJQ10gSPU2M7NAKJTck3P10F8F49t2BnBYsKzUo4AHlZ7V5kafYu3c9Gd50TfcMyqbGB1CL+ITfRxxh3opTTMZAvcCv/EpH9+dG1iw1a1ahZHTC2TvfF6k0thbIWjWIgQwIDAQAB"
@                   3600 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 1 ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.

I replaced the actual domain with example.com. The main domain is used by google workspaces but mail.exmaple.com is used for transactional emails. I am trying to send via mail.example.com .

This is the email:

Received: by mail-tester.com (Postfix, from userid 500)
    id 4C207A988D; Tue, 27 Jul 2021 16:51:48 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-tester.com
X-Spam-Level: 
X-Spam-Status: No/0.9/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
    HEADER_FROM_DIFFERENT_DOMAINS=0.249,HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.635,MIME_HTML_ONLY=0.1,SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001,URIBL_BLOCKED=0.001
X-Spam-Last-External-IP: xx.xxx.xxx.xxx
X-Spam-Last-External-HELO: o123.p8.mailjet.com
X-Spam-Last-External-rDNS: o123.p8.mailjet.com
X-Spam-Date-of-Scan: Tue, 27 Jul 2021 16:51:48 +0200
X-Spam-Report: 
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
    *      blocked.  See
    *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: mjt.lu]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
    *      mail domains are different
    *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *       valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    *      author's domain
    *  0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
    *      tag
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=xx.xxx.xxx.xxx; helo=o123.p8.mailjet.com; envelope-from=xxxxx.xxxxxxxx@bnc3.mailjet.com; receiver=test-xxxxx@srv1.mail-tester.com 
DMARC-Filter: OpenDMARC Filter v1.3.1 mail-tester.com 9F060A988C
Authentication-Results: mail-tester.com; dmarc=fail header.from=mail.example.com
Authentication-Results: mail-tester.com;
    dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mail.example.com header.i=no-reply@mail.example.com header.b=MVNy47/y;
    dkim-atps=neutral
Received: from o123.p8.mailjet.com (o123.p8.mailjet.com [xx.xxx.xxx.xxx])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mail-tester.com (Postfix) with ESMTPS id 9F060A988C
    for <test-xxxxxx@srv1.mail-tester.com>; Tue, 27 Jul 2021 16:51:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=mail.example.com; i=no-reply@mail.example.com; s=mailjet;
  h=message-id:mime-version:from:reply-to:to:subject:date:list-unsubscribe-post:
  list-unsubscribe:feedback-id:x-csa-complaints:x-mj-mid:x-mj-smtpguid:
  x-report-abuse-to:content-type:content-transfer-encoding;
  bh=TIkRui7Va59h4geTtPXAKHua6pDPeJyum82T2lGo2Ww=;
  b=MVNy47/y6hs1gHGz8eiJlWuG18UsJ/Fhxa5vf7K5tDJt1jSfpePjd2YCb
 N1jbcfPt57l77VjSd8+vcwC2g5+yWyBHfkTuF8F7fGA9Vgn740zOLpMVjxlx
 PX71Bkay8jB4kG7Shtpus9XU+/a9WN5E9ygqWReclkE7X3uNqd78pQ=
Message-Id: <xxxxx.xxxxxx@mailjet.com>
MIME-Version: 1.0
From: Example <no-reply@mail.example.com>
Reply-To: info@example.com
To: test-xxxxxx@srv1.mail-tester.com
Subject: Example Registrierung
Date: Tue, 27 Jul 2021 14:51:38 +0000
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe:
    <mailto:xxxxx.mailjet.com>,
    <https://xxxxxxxxxxxxxxxxx>
Feedback-Id: 42.1636236.1611053:MJ
X-CSA-Complaints: csa-complaints@eco.de
X-MJ-Mid:
    xxxxxxx
X-MJ-SMTPGUID: 4c0f08ce-7ed4-457b-9f60-fdf493ab9e3e
X-REPORT-ABUSE-TO: Message sent by Mailjet please report to
    abuse@mailjet.com with a copy of the message
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I don't understand why the verification is failing and what I can do about it? Other tools dmarcanalzer say the configuration is fine.

EDIT

Sending a mail to a gmail account it goes to spam. Showing the "original message" in gmail, however, reports "pass" for SPF, DKIM and DMARC:

gmail reports "pass" for SPF, DKIM and DMARC

Stuck
  • 103
  • 4
  • see also: [Is it wrong to leave out the “v=DKIM1;” on a DKIM record?](https://serverfault.com/questions/892685/is-it-wrong-to-leave-out-the-v-dkim1-on-a-dkim-record) – anx Aug 18 '21 at 14:24
  • Something doesn’t add up here. mail-tester.com and SpamAssassin say the DKIM signature is valid, but the `Authentication-Results` header in the message shows ‘signature verification failed’ for DKIM. Which is it? Since you are sending via an intermediary, you *must* make sure your DKIM signature is tiptop. We cannot check that for you. – glts Aug 18 '21 at 15:04
  • @glts could you elaborate how I can make this? We send via Mailjet and the provided DKIM signature was added to the DNS exactly as provided by mailjet as shown in the question. The mail is sent, so authentication with mailjet should not be a problem. I dont understand the question "which is it?" - what exactly do you refer to? – Stuck Aug 18 '21 at 15:32
  • @Stuck I was referring to the different results, is the signature now valid or is it invalid? Typically, when you set up DKIM correctly, all mail testing services will give the same answer, DKIM ‘passes’, the signature ‘is valid’. This is not the case here. You must make sure that you have a working DKIM key pair (public key in DNS, private key at mail sender) and that signatures are generated properly. If mailjet produces invalid signatures you will need to talk to them. – glts Aug 18 '21 at 16:47
  • I would also recommend trying various other email testing services. If the failure happens only with mail-tester.com, it might be a problem on their end after all. – glts Aug 18 '21 at 16:52
  • @glts thanks for the follow up. Other services report that the setup is ok. However, mail is going to spam and we cannot find any problem else than this one :-/ I will check in with mailjet support. – Stuck Aug 19 '21 at 07:11
  • also I added the gmail report of a mail that goes to spam - it shows that dkim, spf and dmarc all pass. So maybe mail-tester is just wrong? – Stuck Aug 19 '21 at 07:33

1 Answers1

4

the reason is this: (1024-bit key; unprotected) You simply need to replace your DKIM key with a 2048 bit one, and you should be good to go.

Hope that helps ^_^

Morten Nilsen
  • 278
  • 5
  • 15
  • Mailjet support answered, that they do not support 2048 bit DKIM :-( But is it correct, that this is a minor issue for now - even though mail-tester gives it a -3? – Stuck Aug 20 '21 at 08:56
  • Mine says `(2048-bit key; unprotected)`. Does that mean we now need 4096 bit keys?! Or is that from the other side? – Alexis Wilke Feb 26 '22 at 19:46
  • As far as I know, 2048 bit keys are still secure, so your issue must be something else. I'd need more information to be able to give advice. – Morten Nilsen Feb 27 '22 at 21:24
  • We finally switched the provider and the new provider does support 2048 and the issue is solved. After getting in-touch with the Mailjet support again they maybe provide 2048 dkim for enterprise accounts only. There is a user vote issue for general availability but it is several years old already without progress: https://feedback.mailjet.com/forums/931474-feature-requests/suggestions/41854546-2048-bits-dkim-public-key – Stuck Mar 11 '22 at 00:01