Hi,
i use dual DKIm sign with RSA and ED25519 keys (the selectors are named
with "r" and "e" at start respectively, to distinguish them).
Recently i enabled receiving DMARC reports and i see from google (i
didn't get from others yet), that the that RSA signatures passes and
ED25519 DKIM signatures fails:
<auth_results>
<dkim>
<domain>mydomain.tld</domain>
<result>pass</result>
<selector>r2021</selector>
</dkim>
<dkim>
<domain>mydomain.tld</domain>
<result>fail</result>
<selector>e2021</selector>
</dkim>
</auth_results>
I guess, that google doesn't supports ED25519 signatures yet, but that
is not problem, i have verified with some other provider, that it works.
The problem is, that some reports are failed with empty selector:
<auth_results>
<dkim>
<domain>mydomain.tld</domain>
<result>pass</result>
<selector>r2021</selector>
</dkim>
<dkim>
<domain>mydomain.tld</domain>
<result>fail</result>
<selector></selector>
</dkim>
</auth_results>
As here is not selector, i can guess only, that it is the ED25519
(because the RSA one pass).
I have setup DKIM (debian based):
DKIM_DOMAIN = ${domain:$h_from:}
DKIM_SELECTOR = ${lookup{$dkim_domain} lsearch{DKIMDBFILE}}
DKIM_PRIVATE_KEY = ${lookup {$dkim_selector.$dkim_domain.key} \
search{CONFDIR/dkim}{CONFDIR/dkim/$value}}
In DKIMDBFILE i have mapped selectors based on domain, eg:
mydomain.tld: r2021:e2021
My question is, please, how i can log outgoing DKIM-Signature header(s)
to be sure, that i am not sending empty selector? As they are not all
messages, i do not know which one fails with empty selector (if any),
thus i want to log them all (for some time).
regards
--
Slavko
http://slavino.sk
