On 2016-11-21 at 11:06 +0900, Christian Balzer wrote:
> Since the "i=" field is optional, that doesn't come as a big surprise, nor
> should it be an issue.
>
> That is, if it weren't for Google, who decided to base their DKIM checks
> exclusively on this header:
> ---
> Authentication-Results: mx.google.com;
> dkim=neutral (no key) header.i=@fusioncom.co.jp;
My last test mail to my Google account has:
-----------------------------8< cut here >8-----------------------------
Authentication-Results: mx.google.com;
dkim=pass header.i=@spodhuis.org;
spf=pass (google.com: domain of [snip long line]
dmarc=pass (p=NONE dis=NONE) header.from=spodhuis.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201611; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=v4dMfdOoPPNw/cF+SW40HeBs1Za1xm2/PJu39sE54+4=; b=Y2eir4Dvc1bkGpcLbKndpyxAmC0EykoVjfvvkW1Tz7n4zOiN+rD7RILY5x1anaGRSB0T/XUQEsJQTlMnKz+3zkLS4mk3g4p20W5jNiTuitLii7glRfQn7/wA1k3hAmeuTRys4R2PD1ONydHCxWVqSdvbX9oPbX9EwlfwS0AHz9SgBTiqhmF5+rV1hpk6nRIzTi/8Yjuzm0wCgXfP;
-----------------------------8< cut here >8-----------------------------
As you can see, Google are _reporting_ `header.i` but they must be using
the d parameter, because I'm not signing with `i` (I am using Exim,
after all).
So I'd be looking into why Gmail might believe there's no key available;
I can find DNS TXT records for `mail._domainkey.fusioncom.co.jp` on both
the authoritative nameservers, but is there any kind of geolocation in
those results, or could the records have been temporarily unavailable?
Because at this point, it's that, or Google temporarily deployed bad
code.
-Phil
