Re: DKIM hardfail (with eg. google or test sites)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 15 Mar 2013 06:34:15 -0700 (PDT)

On Fri, 15 Mar 2013, Matthias Weiss wrote:
> We configured our mail server (postfix) to use OpenDKIM about 1 year ago
> and it was working flawlessly.
>
> Today I discovered that our mail signing with OpenDKIM isn't working any
> more, it fails at Google Mail but also with email test sites.
>
> Since last year our mail server setup wasn't changed in any significant
> way, e.g. I tweaked the bounce queue settings in postfix a bit, but no
> major changes in our setup. The opendkim setup remained unchanged. We
> did some software updates for postfix and opendkim, but that's it. Our
> current versions are postfix 2.9.5 opendkim-2.6.7-r1
>
> Can anyone suggest a strategy how I can find out why our headers get signed
> wrongly suddenly?

I can't think of anything changed up to 2.6.7 that would explain a sudden
failure like this. Since you can't get debugging information out of
Gmail, the first suggestion I have is to turn on Diagnostics, send a
message to them, and then observe what might have changed between signing
by looking at the "z=" value compared with the header fields you can see
once the mail gets delivered to Gmail.

You should also read DEBUG FEATURES in opendkim/README for some hints
about what to try in terms of capturing debugging data. That section is
in need of work because there are other debug tools available to you, but
that's a decent starting point. If you're still stuck after checking
those things, let us know and I can provide some more suggestions.

-MSK
Received on Fri Mar 15 2013 - 13:34:32 PST