message headers say dkim = fail, stats say = PASSED. why the conflict, and how to fix?

Question

In some-not-all received emails -- notably ONLY those sent via 'bulk' services -- I get a DKIM fail: "signature verification failed". Here's one example:

Received message headers
    DKIM-Filter: OpenDKIM Filter v2.10.3 mail.example.com 3rfbq51KBTz2xF0
    Authentication-Results: dkim.example.com/3rfbq51KBTz2xF0;
        dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=proxyvote.com header.i=@proxyvote.com header.b=XjB07H1q

But checking in ' dkim-stats', it says "PASSED"

opendkim-stats dkim-stats
    Job 3rfbq51KBTz2xF0 at edge (size 12124)
            received via 127.0.0.1 at Wed Jun 29 01:45:37 2016
            from domain = 'proxyvote.com'
            Signature 1 from proxyvote.com
                    PASSED
                    signed bytes: (whole message)
                    Signature properties: 
                    Key properties:  
                    DNSSEC status: INSECURE

Here's the accompanying dump for that message

cat dkim.3rfbq51KBTz2xF0.4dDfiv
    Date: Wed, 29 Jun 2016 03:10:40 -0400
    From: "PROXYVOTE"  <id@proxyvote.com>
    To:   USER@EXAMPLE.COM
    Subject: Semi-Annual Report
    message-id: <$A94546_1_519687362154ADDC_0154651$495132454@adp-ics.com>
    Reply-To: "PROXYVOTE" <ProxyMaster@proxyvote.com>
    MIME-Version: 1.0
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
      d=proxyvote.com; i=@proxyvote.com; q=dns/txt;
      s=edppsuirna01; t=1467189937; x=1498725937;
      h=date:from:to:subject:message-id:reply-to:mime-version;
      bh=H5lkhcTIjxd0B3N4Kdj314qELLpSKZvAAtPAS+XcM1A=;

Why do I get both 'fail' AND 'pass', and what do I need to do to fix this?

Answer 1

Jason, is it possible for you to change the c=simple/simple to c=relaxed\relaxed? I seen a lot of times where different DKIM Validators struggle with the whitespace folding. You say it's only failing with "Bulk", so that tells me you are sending this out through some SMTP Service, which makes me more inclined to believe the headers are being rewritten and the whitespace folding of simple/simple is the culprit. You can also run Mail Test on it, which will test it with 4 different DKIM validator - If it fails all four. It's probably what's going on, when you send through that bulk service.

Updated Section Below

Since your receiving the email, you can still re-process it and check the DKIM with another validator. This is what I do for sanity checks when I think my email server might be processing DKIM wrong. I'm using Limilabs Mail.dll to do handle the sending of the EML, but you can use whatever you want, in whatever programming language you're familiar with. DKIM stays intact and you'll be able to validate it against other DKIM Validators using online auto-responders.

    Dim email As IMail
    Dim mb As New Limilabs.Mail.MailBuilder
    Dim smtpMail As SmtpMail = SmtpMail.CreateFromEmlFile("D:\ValidateDKIM\BadDKIM.eml")
    email = mb.CreateFromEml(smtpMail.RawEmlData)

     Using client As New Smtp()
            client.ConnectSSL("mailserver", 465)
            client.Login("mailserver", "password")
            Dim stream As System.Net.Security.SslStream = client.ReadStream()

            Dim reader As IO.StreamReader = New IO.StreamReader(stream)
            client.SendMessage(New SmtpMail("Mail Check", { "mailtest@unlocktheinbox.com","check-auth@verifier.port25.com"}, smtpMail.RawEmlData))
            client.Close()
    End Using