Re: dkim permerror: verification error: syntax error in key data

From: John Smith <jxs1299_at_gmail.com>
Date: Sat, 5 Feb 2011 21:39:07 -0500

Yes, It was fixed with the help from Randy. After removing the beginning and
trailing double quotes in DNS TXT value, it is working perperly. Thanks a
lot for all the help from Murray, Steven and Randy. This is a very helpful
list.

On Sat, Feb 5, 2011 at 8:53 PM, Murray S. Kucherawy <msk_at_blackops.org>wrote:

> The port25.com verifier is complaining that there's an ASCII 0x22 (34
> decimal, or quote mark) character inside the base64 form of the key data.
> Typical base64 consists only of letters, numbers, "=", "+", and "/" with
> whitespace usually allowed in between for line breaks, so it's not a
> surprise that it would consider this an error.
>
> The sendmail.net autoresponder, which runs dkim-milter (OpenDKIM's
> antecedent) probably has your test messages quarantined because of the key
> format problem, which might be why you didn't get an answer. It might also
> be temp-failing for that reason; check your outbound queues.
>
> However, I don't see any bad characters or bad format when I looked just
> now at default._domainkey.xplist.com. Maybe it's been fixed since this
> thread started.
>
> The error from elandsys.com is more current OpenDKIM code, which ignores
> characters in base64 that aren't part of the standard base64 alphabet (which
> is what RFC4871 and RFC2045 say to do). The "syntax error in key data"
> means there was actually a syntax error in the overall key, and not
> necessarily in the base64 data. But again, the record looks fine to me now
> so maybe it's been fixed.
>
> The references to base64 and base32 are confusing. A key encoded with
> base32 will be garbage to a DKIM verifier, because they all expect base64.
> The base32 encoding scheme is used with ATPS, which is an experimental
> add-on to DKIM that you probably aren't using to begin with. But base32 is
> so rare (openssl doesn't support it, for example) that I have some doubts
> you're actually trying a base32 key. If you're referring to 32-bit builds
> vs 64-bit builds of the package, this has no effect on key encodings.
>
> A key generated by opendkim-genkey should work when copied directly into
> any BIND-style zone file. If it produced something that doesn't actually
> work, please do let us know so we can fix it.
>
> If you're still having trouble, try sending mail with your current settings
> to root_at_opendkim.org and I'll see what it looks like and, if it fails to
> verify, try to track down your problem.
>
> -MSK
>
Received on Sun Feb 06 2011 - 02:39:24 PST