Re: opendkim getting hardfail with Google

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 9 Mar 2011 10:23:12 -0800 (PST)

On Wed, 9 Mar 2011, Chris C wrote:
> When things were working I would see...
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
> crc_at_akc.org designates 74.203.101.142 as permitted sender)
> smtp.mail=crc_at_akc.org; domainkeys=pass header.From=crc_at_akc.org
>
> Note the header.From header.

Note also that that's domainkeys, not dkim.

> I'm not sure at what point this changed or what directive changed it.

Could be a change on Google's side, that now they prefer DKIM over DK.

Your private test to me also failed. The "z=" tag tells why:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=akc.org; s=mail;
         t=1299693952; bh=vxHXq7bMZ9+UHGuKBsbQKsDHmmk=;
         h=Date:From:Message-Id:To:Subject:Yes;
         z=Date:=20Wed,=209=20Mar=202011=2013:05:52=20-0500|From:=20Chris=20
          Callegari=20<crc_at_mailgate1.akc.org>|Message-Id:=20<201103091805.p2
          9I5qWL010100_at_mailgate1.akc.org>|To:=20msk_at_blackops.org|Subject:=20
          TEST;
         b=Uc4oZ0xTH2n018W+fzwnMni7jh4Ioppr7cHJeXoa576pJbYv0mYOuAFK9CKzv8T+w
          Hv5elYMv5CpcsnKr95UpQlcViw2dEAj93UEu0HuN+azlB3K9AftLM7fVJN2r3B3fpU
          sVsngNPtL09xRASS7dhtsdu+DdIhQWueER3J/QRw=

The encoded From: field contains "<crc_at_mailgate1.akc.org>", but the From:
I got was:

From: Chris Callegari <crc_at_akc.org>

So your sendmail MTA is configured to masquerade, which alters your mail
post-signature, which breaks the signatures. See the last section of
opendkim's README for an explanation.

-MSK
Received on Wed Mar 09 2011 - 18:23:29 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST