Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] Possible DKIM issue query
On 07/10/2022 14:21, Dave Mal via Exim-users wrote: > DNS lookup of s1._domainkey.sendgrid.com. (TXT) gave TRY_AGAIN
> s1._domainkey.sendgrid.com. in dns_again_means_nonexist? no (option unset)
> returning DNS_AGAIN
> LOG: MAIN
> PDKIM: d=sendgrid.com s=s1 [failed key import]
> PDKIM [sendgrid.com] rsa-sha256 signature status: PDKIM_VERIFY_INVALID (PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE)
>
>
> I'm guessing that the most important here is the "TRY_AGAIN" part
Yup.
> Is that down to a broken resolver on my part ? i.e. system resolver or something in exim I'm missing
> or is that down to my host?
Could be this host, the network, the host that your resolv.conf points to,
or (I think) further up the DNS hierachy for the lookup.
In any case, a defer at the SMTP layer as a result of a TRY_AGAIN in a
DNS operation seems entirely appropriate; the sending MTA should
retry later.
If it's a persistent problem then ther sending user will eventually get a bounce, and
hopefully involve mail-admins, who in turn should involve dns-admins.
> Yes, this is what i meant; to turn it off entirely
> I feel this would be an option as spamassassin is also verifying the DKIM (pass) when it does its check.
- add an acl control "dkim_disable_verify"
- in a ACL *before* data
- preferably in an ACL path only applying to these problem messages.