RE: opendkim AUTH pass-es for received mail, but fails on forward ...

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Tue, 10 Apr 2012 21:29:23 +0000

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of locuse_at_mm.st
> Sent: Tuesday, April 10, 2012 1:46 PM
> To: opendkim-users_at_lists.opendkim.org
> Subject: opendkim AUTH pass-es for received mail, but fails on forward ...
>
> in the (1)st case, i see a "dkim=pass":
>
> 70 ! Authentication-Results:
> zimbra.locusetest.net/B554D606A2; dkim=pass
> ! (1024-bit key) header.i=_at_fastmail.fm
> header.b=Ezf5+eQD;
> ! dkim-adsp=pass
>
> but in the (2)nd case, i see a "dkim=fail":
>
> 83 + Authentication-Results:
> zimbra.locusetest.net/DD856606A2; dkim=fail
> + (verification failed) header.i=_at_fastmail.fm
> header.b=Ezf5+eQD;
> + dkim-adsp=temperror (missing parameter(s) in
> policy data)
>
> the process of rule-forwarding the message is causing the DKIM Auth
> check to fail.
>
> is it opendkim config ( in "policy data"?), zimbra config, screwy
> process flow, or something else?

Policy data, in this context, is based on a query to the DNS based on the domain name found in the From: field. (See RFC5617.) So two questions come to mind:

1) Is the From: unchanged between the two deliveries?

2) What's in the data that each machine sees when you take the From: domain, prepend "_adsp._domainkey." to it, and issue a TXT query for that name? That's what the filter will do to evaluate policy.

-MSK
Received on Tue Apr 10 2012 - 21:29:36 PST