DKIM validation

Jean-Philippe Pialasse

2,765
+11/-0
aka Unnilennium

Re: DKIM validation

« Reply #15 on: June 09, 2017, 01:44:01 PM »

You can send me an email here tests _at_ pialasse.com

I would also suggest you to open a bug report. While the longer key is supposed to work, we see that it is creating issue with older installations. I use a shorter key too manually migrated from older install.

After removing the t=y have you waited long enough for dns to be renewed before testing?

Logged

mauro

101
+0/-0

Re: DKIM validation

« Reply #16 on: June 09, 2017, 01:57:51 PM »

Quote

You can send me an email here tests _at_ pialasse.com

Done.

Quote

I would also suggest you to open a bug report. While the longer key is supposed to work, we see that it is creating issue with older installations. I use a shorter key too manually migrated from older install.

~~I'll do, but probably only next week.~~ https://bugs.contribs.org/show_bug.cgi?id=10345

Quote

After removing the t=y have you waited long enough for dns to be renewed before testing?

The flag has been removed last Monday. And I tried again today with the same result.

« Last Edit: June 12, 2017, 09:28:47 AM by mauro »

Logged

All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer.
-- IBM maintenance manual (1975)

SchulzStefan

620
+0/-0

Re: DKIM validation

« Reply #17 on: July 13, 2017, 12:59:01 AM »

A few more things in relation with the DKIM

1. Test with https://www.mail-tester.com/spf-dkim-check brings up:

DKIM check

DNS record for default._domainkey.abc.de:

;; Warning: Message parser reports malformed message packet.

We were not able to retrieve the key length, there is maybe an issue in that key

and from the email-test:

DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

You recently modified your DNS, please do a new test in 12 hours.
Your old record:

"v=DKIM1;
p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0\"\"i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUd2XXXXX/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB"

Your future record:

"v=DKIM1;
p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0\"\"i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUd2XXXXX/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB"

which is simply wrong. The record hasn't been changed over a week...

2. Test with auth-results@verifier.port25.com brings up:

DKIM check details:
----------------------------------------------------------
Result: permerror (invalid key: invalid character U+0022 ('"') in base64 data)
ID(s) verified:

From https://en.wikipedia.org/wiki/Base64 I can't see ("") - so how/what do they test? MUST the key be in base64?

3. Test with http://dkimvalidator.com/ brings up:

DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=abc.de; h=date:message-id:from:to:subject:reply-to:content-type:mime-version:content-transfer-encoding; s=default; bh=VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=; b=Rti7IjkmEsYJOSy5Rhh8FgnnZ2sqRLvvYS4AqudcjdoP99RDoS2O6jJSsNthr0gwdugP3npBi0811sCIvGzlSmHwFjzIOUMIsxoZF571PLFMAduMyhrcUHQGCMCc5TLhXr8FaDF+lWkeQeiRBYXtq1eZ3xAKdUNq8YecA0cEiRMZkxBNbaQ1PrOz/JkPPlunDL92P3AZhSOVizEu83k4Q268bF4P5EpggiBm/XLFVhWi8FTfSgVo39mbHCgKo5PmAx2b+skQe17wU8zRoUyjMMqBBNmlAZKHMOk8ns1AmAajExIjeG7EaEaYpdC1k6kk3Fo3Q/lmrGaJwO0BAHc8Hw==

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed
d= Domain: abc.de
s= Selector: default
q= Protocol:
bh= VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=
h= Signed Headers: date:message-id:from:to:subject:reply-to:content-type:mime-version:content-transfer-encoding
b= Data: Rti7IjkmEsYJOSy5Rhh8FgnnZ2sqRLvvYS4AqudcjdoP99RDoS2O6jJSsNthr0gwdugP3npBi0811sCIvGzlSmHwFjzIOUMIsxoZF571PLFMAduMyhrcUHQGCMCc5TLhXr8FaDF+lWkeQeiRBYXtq1eZ3xAKdUNq8YecA0cEiRMZkxBNbaQ1PrOz/JkPPlunDL92P3AZhSOVizEu83k4Q268bF4P5EpggiBm/XLFVhWi8FTfSgVo39mbHCgKo5PmAx2b+skQe17wU8zRoUyjMMqBBNmlAZKHMOk8ns1AmAajExIjeG7EaEaYpdC1k6kk3Fo3Q/lmrGaJwO0BAHc8Hw==
Public Key DNS Lookup

Building DNS Query for default._domainkey.abc.de
Retrieved this publickey from DNS: v=DKIM1;p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0""i6tiTRvMk4dwaNO2MGKIOPXXXXXXX64hN4gfTh5lcxQE4qrPzmUd2mspBipQ0CtDAMoUL4e/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB
Validating Signature

result = invalid
Details: public key: invalid data

4. Test with http://www.appmaildev.com/en/dkim/ brings up:

DKIM: pass

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=abc.de; h=date:message-id:from:to:subject:reply-to:content-type:mime-version:content-transfer-encoding; s=default; bh=VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=; b=iMVYrlBpN5sDtdxrMetB3CXsWefEXTekvv2H3zR3qHfxyEMT2yTe2fXiN4BmSVEIz92JqM2ATvkQf4bTQiMIjeVTL4rX9aP/rVzJh4shHCZFvWT6rjOSVUZlyvWmnU6kI4lEIWOzsM2jQkjAxSzOgMXWqf71cYD6E/7jxLeTsGYusnB8jUN1d78xe+YuwoylaiHMcs5dKmiJAVmuMoi7Miu9fRyqEzYmZmOnSXkQao1SGefsQTKbZx2ZacbfwTSlsvIegjRpx+oNnmvk/eJveaWGgoXC1imw+LlcvbtI+F+a/b+vQ3go1JNrHjgCHDwpxvV5EL5jA9odLAro/beU/g==

Signed-by: stefan.schulz@abc.de

Expected-Body-Hash: VdKl/2CPEl/IXpgS+F9xduEjNSUIqXz/45Z2bJfUWGc=

Public-Key: v=DKIM1;p=MIIBIjANXXXXXXXXXAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7X3PXJWMChpysS2nFDLjhFexzoQPyCHk9fxFQiVnupLMKrTkSYjwe6GxH7XvLNCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0""i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUXXXXXXXXXoUL4e/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB;

DKIM-Result: pass

Now what? Are the invalids related to https://bugs.contribs.org/show_bug.cgi?id=10345? Should I act? Should I ignore? How will this work, if one out of four test only succeeds?

regards,
stefan

« Last Edit: July 13, 2017, 01:08:35 AM by SchulzStefan »

Logged

And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

SchulzStefan

620
+0/-0

Re: DKIM validation

« Reply #18 on: July 13, 2017, 01:40:37 AM »

Update:

My domain hoster (STRATO) permits quotes ("") in the TXT-records. While I copied and pasted the output of

# qpsmtpd-print-dns

I deleted the quotes at the beginning and at the end. BUT NOT the two quotes seperating the two strings. Now it's only one string without quotes. With this one string I'm getting a 10/10 in mail-tester.com. Only in http://dkimvalidator.com there's still the message from spamassassin

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

Regarding that there might be differences between entering the correct format at different domain hosters, this seems to be tricky.

regards,
stefan

Logged

And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)