Re: [exim] DKIM signing with the i= (Identity) tag/header

Top Page
Delete this message
Reply to this message
Author: Christian Balzer
Date:  
To: exim-users
CC: Phil Pennock
Subject: Re: [exim] DKIM signing with the i= (Identity) tag/header

Hello Phil,

On Mon, 21 Nov 2016 07:59:33 +0000 Phil Pennock wrote:

> On 2016-11-21 at 11:06 +0900, Christian Balzer wrote:
> > Since the "i=" field is optional, that doesn't come as a big surprise, nor
> > should it be an issue.
> >
> > That is, if it weren't for Google, who decided to base their DKIM checks
> > exclusively on this header:
> > ---
> > Authentication-Results: mx.google.com;
> >        dkim=neutral (no key) header.i=@fusioncom.co.jp;

>
> My last test mail to my Google account has:
>
> -----------------------------8< cut here >8-----------------------------
> Authentication-Results: mx.google.com;
>        dkim=pass header.i=@spodhuis.org;
>        spf=pass (google.com: domain of [snip long line]
>        dmarc=pass (p=NONE dis=NONE) header.from=spodhuis.org
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201611; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=v4dMfdOoPPNw/cF+SW40HeBs1Za1xm2/PJu39sE54+4=; b=Y2eir4Dvc1bkGpcLbKndpyxAmC0EykoVjfvvkW1Tz7n4zOiN+rD7RILY5x1anaGRSB0T/XUQEsJQTlMnKz+3zkLS4mk3g4p20W5jNiTuitLii7glRfQn7/wA1k3hAmeuTRys4R2PD1ONydHCxWVqSdvbX9oPbX9EwlfwS0AHz9SgBTiqhmF5+rV1hpk6nRIzTi/8Yjuzm0wCgXfP;
> -----------------------------8< cut here >8-----------------------------

>
> As you can see, Google are _reporting_ `header.i` but they must be using
> the d parameter, because I'm not signing with `i` (I am using Exim,
> after all).
>

Yup, I was just about to get back to the list about this.

The google error code is less then stellar when it comes to being clear and
human readable.

The problem was with the DNS TXT record after all, but so subtly that
Exim itself didn't spot it and gave things clean bill of health when
checking mails signed for that domain.

To wit, the record had "v=DKIM1\\\; k=rsa\\\; ..." in it, instead of a
single backslash.
The people responsible are being taken out to the backyard for creative
lead catching courses.

Again, I might have spotted this earlier if Exim itself wouldn't have been
totally happy to ignore the extra garbage and concentrate on the actual
yummy contents.
This probably stems from Exim being a MTA and thus very much being of a
"Be lenient what you accept" philosophy, but it being strict in this case
would have made me realize the problem sooner. ^_-

Thanks for all the ongoing effort with Exim.

Regards,

Christian

> So I'd be looking into why Gmail might believe there's no key available;
> I can find DNS TXT records for `mail._domainkey.fusioncom.co.jp` on both
> the authoritative nameservers, but is there any kind of geolocation in
> those results, or could the records have been temporarily unavailable?
>
> Because at this point, it's that, or Google temporarily deployed bad
> code.
>
> -Phil
>



-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Global OnLine Japan/Rakuten Communications
http://www.gol.com/