When TXT selector._domainkey… is missing, OpenDKIM still adds AR-header

From: Дилян Палаузов <dilyan.palauzov_at_aegee.org>
Date: Fri, 01 Feb 2019 20:33:55 +0000

Update:

> The DKIM-Signature suggests obtaining the DNS TXT record selector1._domainkey.doccs.ny.gov , but this record does not
> exist, so OpenDKIM cannot validate DKIM-Signature.
>

Right now DNS TXT selector1._domainkey.doccs.ny.gov does exist. I don’t know what happened earlier, I was not able to
retrieve the record.

In any case, for this simple message:

From: <m2aieium_at_doccs.ny.gov>
Date: Thu, 31 Jan 2019 23:07:10 +0000
Subject: A D K T200
Message-Id: <eaiti2u_at_eiau>
To: ****_at_aegee.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=doccs.ny.gov;s=selector200;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-
SenderADCheck;bh=nle3m1ypJwIQJcEYxNcs+Ir/fcHuMGnDz4yqI+qTars=;b=0M3G0N6YRSxSUP9QdLY5O9boBg+AxQf48/z10u8TgBHEYO4GJfEUoedS
H4qteMfrHDw+IQhpV+dRkv+pk0ggaxMkaWVgzGutk+NiZoRzpYoRCjcJwuCs2pRcqNpScxd/LseV2AnrAfBRi3W7Xs8ExaYN6H0Dcbm2zHqmU6oDf/k=

A B C 99200




DNS TXT selector200._domainkey.doccs.ny.gov does not exist, and on my system OpenDKIM adds:


Authentication-Results: mail.aegee.org/x11KMGTC013169; dkim=fail
 reason="key not found in DNS" header.d=doccs.ny.gov header.i=_at_doccs.ny.gov
 header.a=rsa-sha256 header.s=selector200 header.b=0M3G0N6Y

So my assumption, that OpenDKIM forgets inserting AR header, when the key is missing from DNS, was not verified. Why
there is no AR-header from OpenDKIM in your sample I cannot say, but this is significant.

OpenDKIM behaves correctly even if the non-existent domain blub.ny.gov is used.

Regards
  Дилян
Received on Fri Feb 01 2019 - 20:34:26 PST