2

My DKIM verification keeps failing, and I can't figure out why. It's signed though, but wrong.

When I check domain and selector it turns out as valid, so problem is with signing.

Here is a dump of one test email:

============================================================================
This is SPF/DKIM/DMARC/RBL report generated by a test tool provided 
    by AdminSystem Software Limited.

Any problem, please contact support@emailarchitect.net
============================================================================
Report-Id: a511e572
Sender: dule@example.com
Source-IP: 11.22.33.44
============================================================================
Original email header:

x-sender: dule@example.com
x-receiver: test-a511e572@appmaildev.com
Received: from host1.example.biz ([11.22.33.44]) by appmaildev.com with Microsoft SMTPSVC(8.5.9600.16384);
     Wed, 25 Jan 2017 07:25:09 +0000
Received: from host1.example.biz (localhost [127.0.0.1])
    by host1.example.biz (Postfix) with SMTP id DB0A3164364
    for <test-a511e572@appmaildev.com>; Wed, 25 Jan 2017 08:25:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
    s=2016; t=1485329108;
    bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
    h=From:Subject:To:Date:From;
    b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
     z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
     wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
     LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
     jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
     6rQnOaNhmvSaQ==
From: "dule" <dule@example.com>
Subject: d
To: test-a511e572@appmaildev.com
Message-Id: <1485329108.10136@example.com>
X-Mailer: Usermin 1.690
Date: Wed, 25 Jan 2017 08:25:08 +0100 (CET)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="bound1485329108"
Return-Path: dule@example.com
X-OriginalArrivalTime: 25 Jan 2017 07:25:09.0615 (UTC) FILETIME=[28C68FF0:01D276DC]

============================================================================
SPF: Pass
============================================================================

SPF-Record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Sender-IP:11.22.33.44
Sender-Domain:example.com

Query TEXT record from DNS server for: example.com
[TXT]: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all
Parsing SPF record: v=spf1 mx a ip4:11.22.33.44 a:host1.example.biz ?all

Mechanisms: v=spf1

Mechanisms: mx
Testing mechanism mx
Query MX record from DNS server for: example.com
[MX]: mail.example.com
Testing mechanism A:mail.example.com/128
Query A record from DNS server for: mail.example.com
[A]: 11.22.33.44
Testing CIDR: source=11.22.33.44;  11.22.33.44/128
mx hit, Qualifier: +

============================================================================
DKIM: fail
============================================================================

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
    s=2016; t=1485329108;
    bh=GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=;
    h=From:Subject:To:Date:From;
    b=dhJTUjBelfWvNPO4/gCWExHc87vC3uucapPxhKosJ/Ka/rgv42bSqARNIAmmROPID
     z7o2txBEt6aSRz+C/v+MnaXIzbFzlkOCUavahehOaGo7jkoIle1N11Yxyn6qe4+uh8
     wykUbHN9/sD4IORxP1sguFAdo9ONlbB6naW7tQoVDDfIhOS6UY5rFw7WmmGJIzitgv
     LJ4a/QrEDDDQX/H+kDessPbULFfLVUlhZQyscbHkb+S/B7s2D93S9vY9CSzrzG/uVj
     jvAYY+4LLhnPpaJBwjtQK2Itygj+gNQ3tvEmP1RwyNjSum0XDSQcQjEWtXs/ZC7Ker
     6rQnOaNhmvSaQ==
Signed-by: dule@example.com
Expected-Body-Hash: GNttbsw+WDQCAJvuUenSuOnhZUFMDY0bOkhR87y32XA=
Public-Key: v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9jrAe+o1L/g0pQefC4AdVPmN2gS2ODghLhfzir0xKTBLl3U+2X33DCStxvHdaLJZYVlKu9PDwr5yXvX4izX5ZnM/gEIm2p3ij0ykQu7Phz6GUvBoozLGPM2876dEVuMZ/aZgqoC4BU8dXGIlif4mqyo6pM76gPwbcj9e98nY+NKJAdKpJV5fMO94wXZ/DjNjI4Sr6bWxrBOZZyh5Am9T/lbOgjjU26ejiroSw//MdXDNGBBp44llHSWEWuUfxamDHaR83UGqhV2gWLpJyrbJtp3Ic8nwuWc0Ko1fR7wbg+HW5OdF9WMf0Id2qTbKQlOSAzbz82Qh5Nj2RCBdBJ1hwIDAQAB;

DKIM-Result: fail (bad signature)

Here is a dump of opendkim.conf

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 2016

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no
#ADSPAction            continue

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)

#ATPSDomains            example.com
#SigningTable refile:/etc/dkim-signingtable
#KeyTable /etc/dkim-keytable
Aleksandar Pavić
  • 382
  • 2
  • 7
  • 18
  • If you are still involved with this system could you please append to your post the TXT record for 2016._domainkey.example.com as served by your DNS? – Dmitri Chubarov Feb 16 '17 at 14:35
  • For example: v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9jrAe+o1L/g0pQefC4AdVPmN2gS2ODghLhfzir0xKTBLl3U+2X33DCStxvHdaLJZYVlKu9PDwr5yXvX4izX5ZnM/gEIm2p3ij0ykQu7Phz6GUvBoozLGPM2876dEVuMZ/aZgqoC4BU8dXGIlif4mqyo6pM76gPwbcj9e98nY+NKJAdKpJV5fMO94wXZ/DjNjI4Sr6bWxrBOZZyh5Am9T/lbOgjjU26ejiroSw//MdXDNGBBp44llHSWEWuUfxamDHaR83UGqhV2gWLpJyrbJtp3Ic8nwuWc0Ko1fR7wbg+HW5OdF9WMf0Id2qTbKQlOSAzbz82Qh5Nj2RCBdBJ1hwIDAQAB – Aleksandar Pavić Feb 17 '17 at 07:48
  • You are signing the Date header. If something was changed in the email after it got out of the signer, I would first look at Date. Does it make sense to you to pick just one or two header lines to compute the hash via `SignHeaders` option? Also try to override the OversignHeaders option with an empty one. – Dmitri Chubarov Feb 17 '17 at 16:11
  • Well I did test now, and it worked. Do you know of any similar tool where I can test DKIM validity? – Aleksandar Pavić Feb 17 '17 at 20:04
  • Yes it works I checked with google also, possibly I haven't configured my system clock properly. – Aleksandar Pavić Feb 17 '17 at 20:16
  • I've generally found Canonicalization relaxed/relaxed can make it more likely to pass though some more brutal MTAs. – danblack Sep 13 '18 at 05:35

1 Answers1

0

Actually it appears that above configuration and keys are OK, problem could have been with various tools for DKIM validation and google, that they are picking DNS changes with a delay.

I suggest doing DKIM tests 48hrs after you configure server.

Aleksandar Pavić
  • 382
  • 2
  • 7
  • 18