Hello Scott,
> Microsoft's auth header fields were non-standard in non-trivial ways.
Business as usual in Microsoft land :\ .. and to be honest I couldn't care
less about the header read errors
> so as long as the DKIM signatures are still verified.
That's the problem. These emails (only these emails) fail verification
because the DKIM signature can't be retrieved from the email header
information which needs to be done to compare against DNS.
At least that's what I thought until I started to dig deeper into their
DKIM signatures.
*Average DKIM Header*
*DKIM-Signature:* v=1; a=rsa-sha256; d=zdnet.online.com; s=s1024-1.bh;
c=simple/simple; q=dns/txt; i=_at_zdnet.online.com; t=1547046787;
h=From:Subject:Date:To:Content-Type;
bh=IoNR9I+c6LM7pnapv5950eUw69Kz0w3jw3v8/X2dGQY=;
b=LmiDF2yR7vNzhPtGZAjBZLNXlgilXjmNMZRB6bI/oyD1RjNiDg7BVwyrZ/y89jVe
e5zN7gQVIN9oIhxGAib7b8lE9Etrz7I0pWk2qoD8QbA3in2M6Het+L8vr5WlTlRb
wV0M/hEfglbHWVhuNB4it55IHlBjhpVo0x5u1FCmGoA=;
*O365 DKIM Header**DKIM-Signature:* v=1; a=rsa-sha256; c=relaxed/relaxed; d=
leviton.com
;s=selector1;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=8EjjEZKj36w4Nao7GzqLl/S20+XjekqO4lyJd7e3jtE=;b=bfqJ71mN8kSAnN6+nNJDJ8po3bb9ddjVNv8BldyXjdZYV485HsI9S667IUjq+cPVX+Ha8IEbv6uRDjwvAEeWNpPvEAKFILAXgCqRaUNie008iena5Z5zwp0s19Ti/oYfxlaJ/5chDJ/zYkVfyRTT75PDB3Az4LM4XZdpasv4jA0=
I'm now wondering, could the lack of spacing between variables be the
problem?
O365 has: v=; a=; c=; - then looses spacing- d=;s=;h=;bh=
Average emails will have consistent spacing between variables
v=a; a=; d=; s=; c=; i=; h=; bh=;
If that is the problem, is there anything that can be done, aside from
Microsoft fixing their mess?
On Fri, Jan 11, 2019 at 1:31 AM Scott Kitterman <ietf-dkim_at_kitterman.com>
wrote:
> On Thursday, January 10, 2019 10:34:19 AM Ken wrote:
> > I'm currently running OpenDKIM 2.10.3
> >
> > I'm seeing instances (thousands per day) where verification's fail with:
> >
> > [sample start]
> > failed to parse Authentication-Results: header field
> >
> > key retrieval failed (s=selector1-Q2e-onmicrosoft-com,
> > d=Q2e.onmicrosoft.com):
> > 'selector1-Q2e-onmicrosoft-com._domainkey.Q2e.onmicrosoft.com' query
> failed
> > [sample end]
> >
> > This is occurring with legitimate sources.
> > Banks, Stores, Technology companies, and seems to be limited to any
> domain
> > using what appears to be Outlook/Office 365
> >
> > If it were one off (one domain out of thousands) I could easily chalk it
> up
> > to bad sender configuration. But it's not, it's thousands of emails from
> > hundreds of (valid) senders a day
> >
> > Any insight would be appreciated
> >
> > Thank you
>
> Last time I looked (I don't get much email from O365 users), Microsoft's
> auth
> header fields were non-standard in non-trivial ways. The major point is
> that
> authserv-ID was missing, which is a required element. Any AR field
> without it
> should be discarded without processing, so as long as the DKIM signatures
> are
> still verified, this may just be annoyingly verbose logging.
>
> Scott K
>
>
Received on Fri Jan 11 2019 - 19:48:56 PST
This archive was generated by hypermail 2.3.0
: Sat Jan 12 2019 - 06:00:01 PST