Valid DKIM signature ramdomly fails to validate

Question

The scenario:

I have a couple email servers running on Debian behind a firewall, a public IP and I have properly setup my DNS records (MCX, DMARC, DKIM, SPF).

This is an example of my DNS records (output by dig command):

DKIM
customselector._domainkey.domain.com. 3600 IN TXT  "v=DKIM1\; h=rsa-sha256\; k=rsa\; s=email\; " "p=MII...

SPF:
domain.com.           3599    IN      TXT     "v=spf1 mx -all"

MX:
domain.com.           3599    IN      MX      1 mailsystem.domain.com.

DMARC:
_dmarc.domain.com.    3599    IN      TXT     "v=DMARC1\;p=quarantine\;sp=reject\;rua=mailto:dmarc@domain.com\; ruf=mailto:dmarc@domain.com\; fo=1\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400"

Trying several public testing systems my whole setup gets validated 100% ok. But then I start to get these weird reports showing a lot of bad emails comming out of my public IP as well as some emails getting perfectly validated by the same domain. The next fragment comes from a Google report:

<record>
    <row>
      <source_ip>0.0.0.0</source_ip>
      <count>6</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>domain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>domain.com</domain>
        <result>pass</result>
        <selector>customselector</selector>
      </dkim>
      <spf>
        <domain>domain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>0.0.0.0</source_ip>
      <count>16</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>domain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>domain.com</domain>
        <result>fail</result>
        <selector>customselector</selector>
      </dkim>
      <spf>
        <domain>domain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>

I got 6 good mails VS 16 bad mails, all of them practically with the same content.

The tests:

• check-auth@verifier.port25.com -> ok
• Gmail Headers -> dkim=pass header.i=@domain.com;
• www.mail-tester.com -> DKIM_VALID
• autorespond+dkim@dk.elandsys.com -> DKIM Signature validation: pass
• dig on several DNS servers -> ok
• mxtoolbox.com -> everything looks ok
• Mail headers on diffrent domains -> ok

The configuration:

I'm using opendkim, this is what I consider relevant:

Canonicalization    relaxed/relaxed
Mode            sv
SubDomains      yes

Answer 1

While my DKIM record is "valid", some validators won't accept h=rsa-sha256; argument in a DNS record and will render the DKIM signature as invalid. I imagine that Google is using a few diffrent linux distros in their mail servers with diffrent validators.

To solve this issue just remove that argument on your DKIM record it should look like this:

v=DKIM1; k=rsa; s=email; p=MI...

After this every single email will get properly validated.

I crossed across http://dkimvalidator.com while doing some research and it was the only tool that yield a rather confusing message:

result = invalid
Details: public key: does not support hash algorithm 'sha256'

Surprisingly this error seems to be unusual but when you use opendkim to generate your keys you might find yourself doing something like this:

opendkim-genkey -b 2048 -h rsa-sha256 -r -s customselector -d domain.com -v

Which writes the incorrect argument into the txt output file resulting in a invalid DKIM record.