Topic: DKIM validation

[mauro]

I have sent a test message to check-auth@verifier.port25.com in order to validate my DMARC setup.
What puzzles me is that in the report receibed i see
DKIM check:         pass
but also
0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
in the checks performed by SpamAssassin.
Could be an issue on SpamAssassin at the receiver side, but how can I be sure?

Code: [Select]


This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  ***.com
Source IP:        ***
mail-from:        ***.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=  ***.com
RE5TIHJlY29yZChzKToKICAgIGNoZW1jaGFydGVyLmNvbS4gU1BGIChubyByZWNvcmRzKQ ogICAgY2hlbWNoYXJ0ZXIuY29tLiA5MDAgSU4gVFhUICJ2PXNwZjEgbXggYSAtYWxsIgogICAgY2h lbWNoYXJ0ZXIuY29tLiA5MDAgSU4gTVggMTAgd2ludGVybXV0ZS5jaGVtY2hhcnRlci5jb20uCiAg ICBjaGVtY2hhcnRlci5jb20uIDkwMCBJTiBNWCAyMCBteDEuZXUubWFpbGhvcC5vcmcuCiAgICB3a W50ZXJtdXRlLmNoZW1jaGFydGVyLmNvbS4gOTAwIElOIEEgODAuMTUyLjE0MC4yMjMK

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=  ***.com
RE5TIHJlY29yZChzKToK

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From:   ***.com)
ID(s) verified: header.d=  ***.com
Q2Fub25pY2FsaXplZCBIZWFkZXJzOgogICAgdG86Y2hlY2stYXV0aEB2ZXJpZmllci5wb3 J0MjUuY29tJzBEJycwQScKICAgIGZyb206TWF1cm8nMjAnRGUnMjAnQ2Fyb2xpcycyMCc8TWF1cm8 uRGVfQ2Fyb2xpc0BjaGVtY2hhcnRlci5jb20+JzBEJycwQScKICAgIHN1YmplY3Q6cHJvdmEnMEQn JzBBJwogICAgbWVzc2FnZS1pZDo8Y2ZhMzg5OTEtZTZmYy1kYjk3LWU2OTctMWYyMTY2MWFiOTZkQ GNoZW1jaGFydGVyLmNvbT4nMEQnJzBBJwogICAgZGF0ZTpNb24sJzIwJzUnMjAnSnVuJzIwJzIwMT cnMjAnMTE6MjY6NDknMjAnKzAyMDAnMEQnJzBBJwogICAgbWltZS12ZXJzaW9uOjEuMCcwRCcnMEE nCiAgICBjb250ZW50LXR5cGU6dGV4dC9wbGFpbjsnMjAnY2hhcnNldD11dGYtODsnMjAnZm9ybWF0 PWZsb3dlZCcwRCcnMEEnCiAgICBjb250ZW50LXRyYW5zZmVyLWVuY29kaW5nOjdiaXQnMEQnJzBBJ wogICAgZGtpbS1zaWduYXR1cmU6dj0xOycyMCdhPXJzYS1zaGEyNTY7JzIwJ2M9cmVsYXhlZDsnMj AnZD1jaGVtY2hhcnRlci5jb207JzIwJ2g9dG86ZnJvbTpzdWJqZWN0Om1lc3NhZ2UtaWQ6ZGF0ZTp taW1lLXZlcnNpb246Y29udGVudC10eXBlOmNvbnRlbnQtdHJhbnNmZXItZW5jb2Rpbmc7JzIwJ3M9 ZGVmYXVsdDsnMjAnYmg9bzVUUGR1WjJvTENUM1lqeEhCQ0dZbDZjaEM0anFTa0JBblo1eWVGTHJsV T07JzIwJ2I9CgpDYW5vbmljYWxpemVkIEJvZHk6CiAgICAnMEQnJzBBJwogICAgLS0nMjAnJzBEJy cwQScKICAgICcwRCcnMEEnCiAgICAnMjAnJzIwJycyMCcnMjAnJzIwJycyMCdNYXVybycyMCdEZSc yMCdDYXJvbGlzJzBEJycwQScKICAgICcyMCcnMjAnJzIwJycyMCcnMjAnJzIwJ0NoZW1DaGFydGVy JzIwJ0dtYkgnMEQnJzBBJwogICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLScwRCcnMEEnC iAgICB3ZWI6JzIwJycyMCcnMjAnd3d3LmNoZW1jaGFydGVyLmNvbScwRCcnMEEnCiAgICBwaDonMj AnJzIwJycyMCcnMjAnKzQ5JzIwJygwKTQwJzIwJzM4MDgnMjAnOTY1JzIwJzExJzBEJycwQScKICA gIG1vYjonMjAnJzIwJycyMCcrNDknMjAnKDApMTUxJzIwJzE3MjUnMjAnNDAwMycwRCcnMEEnCiAg ICBJQ0U6JzIwJycyMCcnMjAnbWRlY2Fyb2xpcycwRCcnMEEnCiAgICAKCkROUyByZWNvcmQocyk6C iAgICBkZWZhdWx0Ll9kb21haW5rZXkuY2hlbWNoYXJ0ZXIuY29tLiA5MDAgSU4gVFhUICJ2PURLSU 0xO3A9TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFtMUxlRnNDZmR Gd2hnUFRhaXZYSGVUcVlMNlkrUnladU0ySGRCZEVXQ2VIWHFWQWFvbW10WVFFODNCdXNhdHpQaGJz UFJ6eU82Z1BZcEIzcXYycGdBTHhEMXhhYnplSGtNZ3JiYTZTMzByLzBPYTJvcDZmWnBPSUZ2NnZob lN2Umxtcjk4TzFqMUV1M2E5MTZXQkdJakpZc09TUk9ERjZpRlRicjZMNjd1SW1KcmhEcUZnSU85dn c0eC9lK0tpVnpVdkg4YkpYb0k5N3JtdkIrYXNMM0F6VzhuazRDZFcyVUpVVVFXUDFaTWFuOE51eHo rVGcxVklhM3AyaEVUd3RtN2RQYksyWmM2OVJjYWJyUlhiZHk0NWJYdjFnMTRucVFrdk1OR2hQMDhY bzkxV0lWOEhvMTMvZGJMUnBtMEwwQlRnVWd2RW1LK3hraENkM0o5bXd1dHdJREFRQUIiCgpQdWJsa WMga2V5IHVzZWQgZm9yIHZlcmlmaWNhdGlvbjogZGVmYXVsdC5fZG9tYWlua2V5LmNoZW1jaGFydG VyLmNvbSAoMjA0OCBiaXRzKQo=

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result:         ham  (-1.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs:   ***.com]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
-0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: <  ***com>
Received: from   ***.com (  ***) by verifier.port25.com id h6khtq2bkd05 for <check-auth@verifier.port25.com>; Mon, 5 Jun 2017 05:26:53 -0400 (envelope-from <  ***.com>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=  ***.com
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=  ***.com
Authentication-Results: verifier.port25.com; dkim=pass (matches From:   ***.com) header.d=  ***.com
Received: (qmail 26803 invoked by uid 453); 5 Jun 2017 09:26:50 -0000
X-Virus-Checked: by ClamAV 0.99.2 on   ***.com
X-Virus-Found: No
Authentication-Results:   ***.com; auth=pass (plain) smtp.auth=zzzzzz
Received: from pc-00020. ***.com (HELO [192.168.246.20]) (192.168.246.20)
 by   ***.com (qpsmtpd/0.96) with ESMTPSA (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Mon, 05 Jun 2017 11:26:50 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=  ***.com; h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding; s=default; bh=o5TPduZ2oLCT3YjxHBCGYl6chC4jqSkBAnZ5yeFLrlU=; b=NwW+WCqI36DK88IubMywdSeYEM96lQrSsnbgxL3uVhYNQr1Eo1P9hBpiCkc2fjjoMM9N3kqyWRYItgo3DKZMlGKcCbF87YxdPAG0XNc4Jw1cca2tzziKgTE6CQ8oMPKw5QiW/yaUdFG0RlwlK4IN2sk+dxsVQsbri5mqURxttkFWKPiXmgiS/M3fONfMvDMHaRS8INBSbsBUDwFlfi4pbq9M+T3ekjf+XlNNRGfcUlHRL5EixJcr8KQqWKgELsuTRuzv64PpaMcgxqmbi/X/byP/LkxWO/lqsXD/wkDUDzFUvOyiodLaeaxmHCINIJ4Pbj2mJAc7514ZRh9vF/0d4Q==
To: check-auth@verifier.port25.com
From: Mauro De Carolis <***.com>
Subject: prova
Message-ID: <cfa38991-e6fc-db97-e697-1f21661ab96d@ ***.com>
Date: Mon, 5 Jun 2017 11:26:49 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US





EDIT 9.6.17:  obfuscated email address and server details

[brianr]

I also get the same result:

 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

[guest22]

I believe we need to file a bug report on this... Brian, if you will please?

[Jean-Philippe Pialasse]

I also get the same result:

 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

probably because of the size of the key (2048) and limit for some DNS server with chain longer than 512 bytes or at another level related to this size see :
http://spamassassin.1065346.n5.nabble.com/the-dkim-sigature-is-valid-but-still-triggered-T-DKIM-INVALID-in-mail-server-td55646.html

I have kept my old key of 1024 bits and I get:

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
-0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature

[Knuddi]

Try to test with mail-tester.com - if you get a clean 10/10 you are in a pretty good condition. It will also allow you to unfold and see more details on all keys (DKIM, DMARC and SPF).

[brianr]

Try to test with mail-tester.com - if you get a clean 10/10 you are in a pretty good condition. It will also allow you to unfold and see more details on all keys (DKIM, DMARC and SPF).

I get this...

-0.1      DKIM_SIGNED      Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
0.1      DKIM_VALID      Message has at least one valid DKIM or DK signature
Great! Your signature is valid
0.1      DKIM_VALID_AU      Message has a valid DKIM or DK signature from author's domain
Great! Your signature is valid and it's coming from your domain name

Looks ok then?

[mauro]

On mail-tester.com I get a 10/10 score.

[Knuddi]

@brianr,

Yes, to my best knowledge you should be very OK. The T_DKIM_INVALID is a zero (0) score rule and the T_ indicates its just a test rules not to be bothered with.

/jesper

[brianr]

I've emailed port25.com with a link to this thread - perhaps they'll fix it!

...and got an acknowledgment/thank you...

[Jean-Philippe Pialasse]

T_DKIM_INVALID to remove this you should remove the t=y in your DNS field.

test again few hours after. If it persist without the valid tag, then this means that some older install might not be able to read the too long field.

[Michail Pappas]

@mauro: perhaps you should reddact your post to remove direct references to your mailbox and domain?

Quick question: doing a dig txt on the domain shows that the large key is consisted by two large strings, separated by space. ie:

Code: [Select]

# dig +short txt default._domainkey.domain
"v=DKIM1\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1LeFsCfdFwhgPTaivXHeTqYL6Y+RyZuM2HdBdEWCeHXqVAaommtYQE83BusatzPhbsPRzyO6gPYpB3qv2pgALxD1xabzeHkMgrba6S30r/0Oa2op6fZpOIFv6vhnSvRlmr98O1j1Eu3a916WBGIjJYsOSRODF6iFTbr6L67uImJrhDqFgIO9vw4x/e+KiVzUvH8bJXoI" "97rmvB+asL3AzW8nk4CdW2UJUUQWP1ZMan8Nuxz+Tg1VIa3p2hETwtm7dPbK2Zc69RcabrRXbdy45bXv1g14nqQkvMNGhP08Xo91WIV8Ho13/dbLRpm0L0BTgUgvEmK+xkhCd3J9mwutwIDAQAB"
Just wondering: isn't that a problem?

[mauro]

@Jean-Philippe
There is no t=y in our DNS any more but the response is still the same.

@Michail
I believe bind and similar servers always split large strings into chunks. This should not be a problem by itself, but apparently it is for some (perhaps old?) versions of SpamAssassin plugins.

1) Do you guys have shorter keys for DKIM? I am using the default ones, created automagically by Koozali.
2) Can I send an email to one of you guys, and you tell me what your SpamAssassin think about it?

[Michail Pappas]

I am using a shorter key, manually ported to 9.2 from 9.1. Works just fine.

As for a test, I'll PM you with my mail address for test.

EDIT: I can't PM you, you are not visible. PM me if you can.

EDIT2: not sure if PM works?

[mauro]

@Michail
Never used PM before... but I get an error when I try:

Code: [Select]

An Error Has Occurred!
You are not allowed to send personal messages.
You can see my email address in the first post, I though about obfuscating it but in the end I did not bother. You can reach me there.

[mauro]

Thanks to Michail I can confirm that my emails are correctly signed and validated by Spamassassin at least on SME/Koozali.
Googling around, the problem can be caused at the receiving end by various factors including missing/old perl modules in the DKIM validator and/or in the modules that perform DNS checking in case of long records.

Having also tried several other email/DKIM online testers, I am satisfied that my implementation is correct. It is possible that on a small number of servers my emails will trigger T_DKIM_INVALID due to the length of my key, however the impact should be minimal.

[Jean-Philippe Pialasse]

You can send me an email here tests _at_ pialasse.com

I would also suggest you to open a bug report. While the longer key is supposed to work, we see that it is creating issue with older installations. I use a shorter key too manually migrated from older install.

After removing the t=y have you waited long enough for dns to be renewed before testing?

[mauro]

You can send me an email here tests _at_ pialasse.com

Done.

I would also suggest you to open a bug report. While the longer key is supposed to work, we see that it is creating issue with older installations. I use a shorter key too manually migrated from older install.

I'll do, but probably only next week.  https://bugs.contribs.org/show_bug.cgi?id=10345

After removing the t=y have you waited long enough for dns to be renewed before testing?

The flag has been removed last Monday. And I tried again today with the same result.

[SchulzStefan]

A few more things in relation with the DKIM

1. Test with https://www.mail-tester.com/spf-dkim-check brings up:

DKIM check

DNS record for default._domainkey.abc.de:

;; Warning: Message parser reports malformed message packet.

We were not able to retrieve the key length, there is maybe an issue in that key


and from the email-test:

DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

You recently modified your DNS, please do a new test in 12 hours.
Your old record:

"v=DKIM1;
p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0\"\"i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUd2XXXXX/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB"

Your future record:

"v=DKIM1;
p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0\"\"i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUd2XXXXX/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB"

which is simply wrong. The record hasn't been changed over a week...


2. Test with auth-results@verifier.port25.com brings up:

DKIM check details:
----------------------------------------------------------
Result:         permerror (invalid key: invalid character U+0022 ('"') in base64 data)
ID(s) verified:

From https://en.wikipedia.org/wiki/Base64 I can't see ("") - so how/what do they test? MUST the key be in base64?


3. Test with http://dkimvalidator.com/ brings up:

DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=abc.de; h=date:message-id:from:to:subject:reply-to:content-type:mime-version:content-transfer-encoding; s=default; bh=VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=; b=Rti7IjkmEsYJOSy5Rhh8FgnnZ2sqRLvvYS4AqudcjdoP99RDoS2O6jJSsNthr0gwdugP3npBi0811sCIvGzlSmHwFjzIOUMIsxoZF571PLFMAduMyhrcUHQGCMCc5TLhXr8FaDF+lWkeQeiRBYXtq1eZ3xAKdUNq8YecA0cEiRMZkxBNbaQ1PrOz/JkPPlunDL92P3AZhSOVizEu83k4Q268bF4P5EpggiBm/XLFVhWi8FTfSgVo39mbHCgKo5PmAx2b+skQe17wU8zRoUyjMMqBBNmlAZKHMOk8ns1AmAajExIjeG7EaEaYpdC1k6kk3Fo3Q/lmrGaJwO0BAHc8Hw==


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed
d= Domain:          abc.de
s= Selector:        default
q= Protocol:       
bh=                 VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=
h= Signed Headers:  date:message-id:from:to:subject:reply-to:content-type:mime-version:content-transfer-encoding
b= Data:            Rti7IjkmEsYJOSy5Rhh8FgnnZ2sqRLvvYS4AqudcjdoP99RDoS2O6jJSsNthr0gwdugP3npBi0811sCIvGzlSmHwFjzIOUMIsxoZF571PLFMAduMyhrcUHQGCMCc5TLhXr8FaDF+lWkeQeiRBYXtq1eZ3xAKdUNq8YecA0cEiRMZkxBNbaQ1PrOz/JkPPlunDL92P3AZhSOVizEu83k4Q268bF4P5EpggiBm/XLFVhWi8FTfSgVo39mbHCgKo5PmAx2b+skQe17wU8zRoUyjMMqBBNmlAZKHMOk8ns1AmAajExIjeG7EaEaYpdC1k6kk3Fo3Q/lmrGaJwO0BAHc8Hw==
Public Key DNS Lookup

Building DNS Query for default._domainkey.abc.de
Retrieved this publickey from DNS: v=DKIM1;p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0""i6tiTRvMk4dwaNO2MGKIOPXXXXXXX64hN4gfTh5lcxQE4qrPzmUd2mspBipQ0CtDAMoUL4e/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB
Validating Signature

result = invalid
Details: public key: invalid data


4. Test with http://www.appmaildev.com/en/dkim/ brings up:

DKIM: pass

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=abc.de; h=date:message-id:from:to:subject:reply-to:content-type:mime-version:content-transfer-encoding; s=default; bh=VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=; b=iMVYrlBpN5sDtdxrMetB3CXsWefEXTekvv2H3zR3qHfxyEMT2yTe2fXiN4BmSVEIz92JqM2ATvkQf4bTQiMIjeVTL4rX9aP/rVzJh4shHCZFvWT6rjOSVUZlyvWmnU6kI4lEIWOzsM2jQkjAxSzOgMXWqf71cYD6E/7jxLeTsGYusnB8jUN1d78xe+YuwoylaiHMcs5dKmiJAVmuMoi7Miu9fRyqEzYmZmOnSXkQao1SGefsQTKbZx2ZacbfwTSlsvIegjRpx+oNnmvk/eJveaWGgoXC1imw+LlcvbtI+F+a/b+vQ3go1JNrHjgCHDwpxvV5EL5jA9odLAro/beU/g==

Signed-by: stefan.schulz@abc.de

Expected-Body-Hash: VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=

Public-Key: v=DKIM1;p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0""i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUXXXXXXXXXoUL4e/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB;


DKIM-Result: pass

Now what? Are the invalids related to https://bugs.contribs.org/show_bug.cgi?id=10345? Should I act? Should I ignore? How will this work, if one out of four test only succeeds?

regards,
stefan

[SchulzStefan]

Update:

My domain hoster (STRATO) permits quotes ("") in the TXT-records. While I copied and pasted the output of

# qpsmtpd-print-dns

I deleted the quotes at the beginning and at the end. BUT NOT the two quotes seperating the two strings. Now it's only one string without quotes. With this one string I'm getting a 10/10 in mail-tester.com. Only in http://dkimvalidator.com there's still the message from spamassassin

0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

Regarding that there might be differences between entering the correct format at different domain hosters, this seems to be tricky.

regards,
stefan