Now we're back to "d=" being right but the From: being rewritten by sendmail.
It's actually a slightly different problem than I thought. Since you're signing with "z=" tags ("Diagnostics" in the config file), we can see that you're sending mail with:
From: root
I suspect you're using a shell mail program like "mail" or "mailx" to do your testing. Your MTA is adding "_at_marlborosurvey.net" to that, but only after the signature is generated. That's making validation impossible.
I showed in an earlier message how to test this, and I think you showed us a "GOOD" result from sendmail.net. That means everything is configured correctly, so quit messing with opendkim now. :)
So what's left is to arrange that the From: on the message isn't altered outbound. Your best bet is to either:
- Arrange that the program generating the mail sends a complete From: header field so that sendmail doesn't have to modify it. How you do that depends on how you're sending the mail. I already showed you one way, by invoking sendmail directly.
- Use the "ReplaceRules" feature, also described previously, to assume those modifications at signing time, meaning what gets signed is the same as what gets sent and received.
You don't need SigningTable or KeyTable if you do either of those things.
You might also try sending mail with another shell program or mail agent, like Alpine or Thunderbird or something like that, which do generate complete From: fields on outgoing mail.
From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Jason Clint
Sent: Tuesday, October 26, 2010 4:04 PM
To: steve_at_stevejenkins.com
Cc: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
ok so I removed the ,mail.marlborosurvey.net from the domain line in the conf. Here are the results from the test site:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=marlborosurvey.net;
s=mail; t=1288134098; i=_at_marlborosurvey.net;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Date:From:Message-Id:To;
z=Date:=20Tue,=2026=20Oct=202010=2017:01:37=20-0600|From:=20root=20
|Message-Id:=20<201010262301.o9QN1bV
i008616_at_mail.marlborosurvey.net>|To:=20pYYPEv3cs7_at_www.brandoncheck
etts.com;
b=RoeXZC5uF76DnPPbyeVVezTqpp6t5k9j5cX6YepAv1HgBMeQH4OAdklOVOv2ya6Y+
wFeoyqMn4aNuzZgWoJkWCHKvhUN6R+fsazlAgx6mg5Q0DgIa3DMQJMGZRADsaFezBH
chJPOmr0DDpGVcEckZmCVwYKb6to8gRlaoxb6Y2U=
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/simple
d= Domain: marlborosurvey.net
s= Selector: mail
q= Protocol:
bh= frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
h= Signed Headers: Date:From:Message-Id:To
b= Data: RoeXZC5uF76DnPPbyeVVezTqpp6t5k9j5cX6YepAv1HgBMeQH4OAdklOVOv2ya6Y+
wFeoyqMn4aNuzZgWoJkWCHKvhUN6R+fsazlAgx6mg5Q0DgIa3DMQJMGZRADsaFezBH
chJPOmr0DDpGVcEckZmCVwYKb6to8gRlaoxb6Y2U=
Public Key DNS Lookup
Building DNS Query for mail._domainkey.marlborosurvey.net
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGAq3ldG6D1fJiWoXPDpKg9dx42LhQysLAgMwo7cDrBiPMJ9jKh/YIAPAdFm6lHMWOQiL+IryQH+XCMSecdEj67Uw+EIxMgVT/KNQAH9Lqax8YnM5f91XZrazHLfa8U+bzHrSw15VhXCe9wb+sDtSa3E39naEY7nW5EJRCnCEm0QIDAQAB
Validating Signature
result = fail
Details: message has been altered
And the email:
Return-Path: <root_at_marlborosurvey.net>
X-Original-To: pYYPEv3cs7_at_www.brandonchecketts.com
Delivered-To: spamapp_at_www.brandonchecketts.com
Received: from mail.marlborosurvey.net (mail.marlborosurvey.net [64.0.29.71])
by www.brandonchecketts.com (Postfix) with ESMTP id 2E2302429F
for <pYYPEv3cs7_at_www.brandonchecketts.com>; Tue, 26 Oct 2010 19:01:37 -0400 (EDT)
Received: from mail.marlborosurvey.net (localhost.localdomain [127.0.0.1])
by mail.marlborosurvey.net (8.14.4/8.14.4) with ESMTP id o9QN1bBD008617
for <pYYPEv3cs7_at_www.brandonchecketts.com>; Tue, 26 Oct 2010 17:01:38 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=marlborosurvey.net;
s=mail; t=1288134098; i=_at_marlborosurvey.net;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Date:From:Message-Id:To;
z=Date:=20Tue,=2026=20Oct=202010=2017:01:37=20-0600|From:=20root=20
<root_at_mail.marlborosurvey.net>|Message-Id:=20<201010262301.o9QN1bV
i008616_at_mail.marlborosurvey.net>|To:=20pYYPEv3cs7_at_www.brandoncheck
etts.com;
b=RoeXZC5uF76DnPPbyeVVezTqpp6t5k9j5cX6YepAv1HgBMeQH4OAdklOVOv2ya6Y+
wFeoyqMn4aNuzZgWoJkWCHKvhUN6R+fsazlAgx6mg5Q0DgIa3DMQJMGZRADsaFezBH
chJPOmr0DDpGVcEckZmCVwYKb6to8gRlaoxb6Y2U=
Received: (from root_at_localhost)
by mail.marlborosurvey.net (8.14.4/8.14.4/Submit) id o9QN1bVi008616
for pYYPEv3cs7_at_www.brandonchecketts.com; Tue, 26 Oct 2010 17:01:37 -0600
Date: Tue, 26 Oct 2010 17:01:37 -0600
From: root <root_at_marlborosurvey.net>
Message-Id: <201010262301.o9QN1bVi008616_at_mail.marlborosurvey.net>
To: pYYPEv3cs7_at_www.brandonchecketts.com
________________________________
From: nosaj_17_at_hotmail.com
To: steve_at_stevejenkins.com
CC: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Date: Tue, 26 Oct 2010 22:58:22 +0000
Ok so when I checked my dns it is set for the domain without hostnames, I have a cname setup to point mail.marlborosurvey.net to marlborosurvey.net but the actual mail._domainkey is set to just marlborosurvey.net? Also I am confused what you guys mean by keyTable and signingTable? Is that an option in the conf file?
________________________________
From: steve_at_stevejenkins.com
To: nosaj_17_at_hotmail.com
CC: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Date: Tue, 26 Oct 2010 15:50:40 -0700
You're REALLY close to having this working! :)
It looks like you figured out how to send as root_at_domain.net<mailto:root_at_domain.net>. So at this point, don't change anything with your MTA. Just focus on DKIM signing, and on your DNS settings.
I just checked your DNS entry:
[root_at_carbonfiber ~]# host -t TXT mail._domainkey.marlborosurvey.net
mail._domainkey.marlborosurvey.net descriptive text "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGAq3ldG6D1fJiWoXPDpKg9dx42LhQysLAgMwo7cDrBiPMJ9jKh/YIAPAdFm6lHMWOQiL+IryQH+XCMSecdEj67Uw+EIxMgVT/KNQAH9Lqax8YnM5f91XZrazHLfa8U+bzHrSw15VhXCe9wb+sDtSa3E39naEY7nW5EJRCnCEm0QIDAQAB"
And that looks good for sending as root_at_marlborosurvey.net<mailto:root_at_marlborosurvey.net>.
Now you need to make sure that your key is setup for just marlborosurvey.net This last test says you did:
d=mail.marlborosurvey.net
Make sure you've created a key for just the domain without any hostnames, then make sure your keyTable and signingTable are set to sign with that key, and give it another test.
It should work!
SJ
From: Jason Clint [mailto:nosaj_17_at_hotmail.com]
Sent: Tuesday, October 26, 2010 3:43 PM
To: steve_at_stevejenkins.com
Cc: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Looks like the same issue, if that test site is correct. I only actually see the from address set as root_at_domain.com though is that why you are saying its failing?
________________________________
From: nosaj_17_at_hotmail.com
To: steve_at_stevejenkins.com
CC: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Date: Tue, 26 Oct 2010 22:39:34 +0000
Got this from that test:
DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=mail.marlborosurvey.net; s=mail; t=1288132621;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Date:From:Message-Id:To;
z=Date:=20Tue,=2026=20Oct=202010=2016:37:01=20-0600|From:=20root=20
|Message-Id:=20<201010262237.o9QMb1x
d008348_at_mail.marlborosurvey.net>|To:=20pYYPEv3cs7_at_www.brandoncheck
etts.com;
b=ne4uSkDYbE9cwS65BJsfiYwuO8l72lDmfMq+YCiolZbgD/uJkwD8A2IB6Gd/SpUDS
AdmOgDoHFEtSVf8hn9Rz/eRfEgfKhLbPWQwKGrmRetfcoWRrTOKKU5WY62woqEW33t
wKLRe0J+bP379N06IOqps9RRSpsGU5IIWYzUcVW0=
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/simple
d= Domain: mail.marlborosurvey.net
s= Selector: mail
q= Protocol:
bh= frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
h= Signed Headers: Date:From:Message-Id:To
b= Data: ne4uSkDYbE9cwS65BJsfiYwuO8l72lDmfMq+YCiolZbgD/uJkwD8A2IB6Gd/SpUDS
AdmOgDoHFEtSVf8hn9Rz/eRfEgfKhLbPWQwKGrmRetfcoWRrTOKKU5WY62woqEW33t
wKLRe0J+bP379N06IOqps9RRSpsGU5IIWYzUcVW0=
Public Key DNS Lookup
Building DNS Query for mail._domainkey.mail.marlborosurvey.net
Retrieved this publickey from DNS:
Validating Signature
result = invalid
Details: public key: not available
and the email itself:
Return-Path: <root_at_marlborosurvey.net>
X-Original-To: pYYPEv3cs7_at_www.brandonchecketts.com
Delivered-To: spamapp_at_www.brandonchecketts.com
Received: from mail.marlborosurvey.net (mail.marlborosurvey.net [64.0.29.71])
by www.brandonchecketts.com (Postfix) with ESMTP id C2E252429F
for <pYYPEv3cs7_at_www.brandonchecketts.com>; Tue, 26 Oct 2010 18:37:00 -0400 (EDT)
Received: from mail.marlborosurvey.net (localhost.localdomain [127.0.0.1])
by mail.marlborosurvey.net (8.14.4/8.14.4) with ESMTP id o9QMb1T3008349
for <pYYPEv3cs7_at_www.brandonchecketts.com>; Tue, 26 Oct 2010 16:37:01 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=mail.marlborosurvey.net; s=mail; t=1288132621;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Date:From:Message-Id:To;
z=Date:=20Tue,=2026=20Oct=202010=2016:37:01=20-0600|From:=20root=20
<root_at_mail.marlborosurvey.net>|Message-Id:=20<201010262237.o9QMb1x
d008348_at_mail.marlborosurvey.net>|To:=20pYYPEv3cs7_at_www.brandoncheck
etts.com;
b=ne4uSkDYbE9cwS65BJsfiYwuO8l72lDmfMq+YCiolZbgD/uJkwD8A2IB6Gd/SpUDS
AdmOgDoHFEtSVf8hn9Rz/eRfEgfKhLbPWQwKGrmRetfcoWRrTOKKU5WY62woqEW33t
wKLRe0J+bP379N06IOqps9RRSpsGU5IIWYzUcVW0=
Received: (from root_at_localhost)
by mail.marlborosurvey.net (8.14.4/8.14.4/Submit) id o9QMb1xd008348
for pYYPEv3cs7_at_www.brandonchecketts.com; Tue, 26 Oct 2010 16:37:01 -0600
Date: Tue, 26 Oct 2010 16:37:01 -0600
From: root <root_at_marlborosurvey.net>
Message-Id: <201010262237.o9QMb1xd008348_at_mail.marlborosurvey.net>
To: pYYPEv3cs7_at_www.brandonchecketts.com
________________________________
From: steve_at_stevejenkins.com
To: nosaj_17_at_hotmail.com
CC: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Date: Tue, 26 Oct 2010 15:34:21 -0700
Hey, Jason. I also like using this to test:
http://www.brandonchecketts.com/emailtest.php
SteveJ
From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Jason Clint
Sent: Tuesday, October 26, 2010 3:21 PM
To: tlyons_at_ivenue.com
Cc: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
apparently sendmail is starting to get sick of me:
Oct 26 16:16:03 mail sendmail[6668]: o9QMG3VX006668: from=root, size=26, class=0, nrcpts=1, msgid=<201010262216.o9QMG3VX006668_at_mail.marlborosurvey.net>, relay=root_at_localhost
Oct 26 16:16:03 mail sendmail[6669]: o9QMG3SJ006669: from=<root_at_mail.marlborosurvey.net>, size=332, class=0, nrcpts=1, msgid=<201010262216.o9QMG3VX006668_at_mail.marlborosurvey.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Oct 26 16:16:03 mail sendmail[6669]: o9QMG3SJ006669: Milter insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;\n\td=mail.marlborosurvey.net; s=mail; t=1288131363;\n\tbh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;\n\th=Date:From:Message-Id:To;\n\tz=Date:=20Tue,=2026=20Oct=202010=2016:16:03=20-0600|From:=20root=20\n\t <root_at_mail.marlborosurvey.net>|Message-Id:=20<201010262216.o9QMG3V\n\t X006668_at_mail.marlborosurvey.net>|To:=20sa-test_at_sendmail.net;\n\tb=DQ8aTRbSD2BwKTo8DQoqyrPbFs5xoDkQIodZmuJvfJ93GGUfANjXoTSGINdS14EGN\n\t F4BeCntzj1A7GW1qeEWXIi2cbT6/I4L3AAzWkqkutS5hxm/76ljxZ4lX8bnK5ma6jz\n\t t+V/MnxHKfbnU8quKhQHzjnxqHLTegIF30b40eEw=
Oct 26 16:16:03 mail sendmail[6668]: o9QMG3VX006668: to=sa-test_at_sendmail.net, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30026, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o9QMG3SJ006669 Message accepted for delivery)
Oct 26 16:16:04 mail sendmail[6672]: STARTTLS=client, relay=smtp.sendmail.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Oct 26 16:16:05 mail sendmail[6672]: o9QMG3SJ006669: to=<sa-test_at_sendmail.net>, ctladdr=<root_at_mail.marlborosurvey.net> (0/0), delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=120332, relay=smtp.sendmail.net. [209.246.26.21], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
I will have to check on it in a minute!
________________________________
From: nosaj_17_at_hotmail.com
To: tlyons_at_ivenue.com
CC: opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Date: Tue, 26 Oct 2010 22:17:29 +0000
Just so you know its not whats in the log that bothers me but the response I get back from sa-test_at_sendmail.net which is.......check that, I just looked at the last log entry and saw this:
We hope this service has been helpful to you.
Authentication System: DomainKeys Identified Mail
Result: DKIM signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information:
http://mipassoc.org/dkim/
Sendmail milter:
https://sourceforge.net/projects/dkim-milter/
give me a second while I verify if its right and I didn't just doze off and dream it started working.
> Date: Tue, 26 Oct 2010 15:11:27 -0700
> Subject: Re: Signing problem
> From: tlyons_at_ivenue.com
> To: nosaj_17_at_hotmail.com
> CC: opendkim-users_at_lists.opendkim.org
>
> On Tue, Oct 26, 2010 at 2:24 PM, Jason Clint <nosaj_17_at_hotmail.com> wrote:
> > Another update, setting the Domain to
> > marlborosurvey.net,mail.marlborosurvey.net gets rid of the other errro:
> > Oct 26 15:07:44 mail opendkim[6446]: o9QL7iJ8006451: no signing domain match
> > for `mail.marlborosurvey.net'
>
> I just wanted to point out that what you are seeing is not an "error",
> it's debug output caused by the "LogWhy" statement being enabled in
> your opendkim configuration.
>
> Murray, maybe a log identifier to indicate it's debug output and not
> an error would be beneficial. I'm torn though...
>
> --
> Regards... Todd
> I seek the truth...it is only persistence in self-delusion and
> ignorance that does harm. -- Marcus Aurealius
>
>
Received on Tue Oct 26 2010 - 23:13:22 PST