Re: dkim permerror: verification error: syntax error in key data

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sat, 5 Feb 2011 17:53:41 -0800 (PST)

The port25.com verifier is complaining that there's an ASCII 0x22 (34
decimal, or quote mark) character inside the base64 form of the key data.
Typical base64 consists only of letters, numbers, "=", "+", and "/" with
whitespace usually allowed in between for line breaks, so it's not a
surprise that it would consider this an error.

The sendmail.net autoresponder, which runs dkim-milter (OpenDKIM's
antecedent) probably has your test messages quarantined because of the key
format problem, which might be why you didn't get an answer. It might
also be temp-failing for that reason; check your outbound queues.

However, I don't see any bad characters or bad format when I looked just
now at default._domainkey.xplist.com. Maybe it's been fixed since this
thread started.

The error from elandsys.com is more current OpenDKIM code, which ignores
characters in base64 that aren't part of the standard base64 alphabet
(which is what RFC4871 and RFC2045 say to do). The "syntax error in key
data" means there was actually a syntax error in the overall key, and not
necessarily in the base64 data. But again, the record looks fine to me
now so maybe it's been fixed.

The references to base64 and base32 are confusing. A key encoded with
base32 will be garbage to a DKIM verifier, because they all expect base64.
The base32 encoding scheme is used with ATPS, which is an experimental
add-on to DKIM that you probably aren't using to begin with. But base32
is so rare (openssl doesn't support it, for example) that I have some
doubts you're actually trying a base32 key. If you're referring to 32-bit
builds vs 64-bit builds of the package, this has no effect on key
encodings.

A key generated by opendkim-genkey should work when copied directly into
any BIND-style zone file. If it produced something that doesn't actually
work, please do let us know so we can fix it.

If you're still having trouble, try sending mail with your current
settings to root_at_opendkim.org and I'll see what it looks like and, if it
fails to verify, try to track down your problem.

-MSK
Received on Sun Feb 06 2011 - 01:54:12 PST