Re: When TXT selector._domainkey… is missing, OpenDKIM still adds AR-header
>
> So my assumption, that OpenDKIM forgets inserting AR header, when the key
> is missing from DNS, was not verified. Why
> there is no AR-header from OpenDKIM in your sample I cannot say, but this
> is significant.
We're crossing paths on this because of the delay but here it goes ;)
As I indicated in my earlier reply, the headers are from a message while it
was being held (quarantined) by the server "before" being delivered.
It's possible the header you're looking for may be applied when approved
for delivery.
Below is another sample from the same service (Microsoft, etc) sent to me
> by a user on this board while he and I were doing some testing.
>
We found that if he used the Microsoft service DKIM would fail, however if
> he used his mail server DKIM passed
>
Note: This message was delivered without being held (due to policy), and
> the second AR header field is present
>
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (
mail-eopbgr710108.outbound.protection.outlook.com [40.107.71.108])by
weaver.campbus.com (8.14.9/8.14.9) with ESMTP id
x0AGldjp021472(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256
verify=FAIL)for <local_user_at_campbus.com>; Thu, 10 Jan 2019 11:47:40 -0500
Authentication-Results: weaver.campbus.com; dmarc=none (p=none dis=none)
header.from=uconn.edu
Authentication-Results: weaver.campbus.com; dkim=fail reason="signature
verification failed" (1024-bit key) header.d=uconn.onmicrosoft.com
header.i=_at_uconn.onmicrosoft.com header.b=JTRDdrro
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
uconn.onmicrosoft.com
;s=selector1-uconn-edu;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=jrQocrYayNqxfudi2KWXyPQ2VABwKdRpOONJeqGuLlQ=;b=JTRDdrroZz1C9ykhj/io8eg8FknVZ3bV3lQulln2Bqw1yE95RRVFpsBIoqdFb1sRUxD+FNLQTcuynTNa47la4GCi8Urd8Rvu+ec2UVq0fpir7kmLswBkr2v/XW9x3F3dfFNrzTy2fhoO0GZ8i9xVkDz54KDhAU/V2JDxCUMUtYY=
Received: from BN7PR05MB5859.namprd05.prod.outlook.com (20.176.30.82)
byBN7PR05MB4449.namprd05.prod.outlook.com (52.135.248.17) with Microsoft
SMTPServer (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id15.20.1516.7; Thu, 10 Jan 2019 16:47:37 +0000
Received: from BN7PR05MB5859.namprd05.prod.outlook.com([fe80::99b7:f248:10c:8ff8])
by BN7PR05MB5859.namprd05.prod.outlook.com([fe80::99b7:f248:10c:8ff8%3])
with mapi id 15.20.1516.015; Thu, 10 Jan 2019 16:47:37 +0000
Thread-Topic: testg
Thread-Index: AdSpBC7CFkywVB+dSISKqOIFCseymg==
Date: Thu, 10 Jan 2019 16:47:37 +0000
Message-ID: <
BN7PR05MB585923A5A2237F898E61DD3298840_at_BN7PR05MB5859.namprd05.prod.outlook.com
>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
smtp.mailfrom=xxxxxx_at_uconn.edu;
x-originating-ip: [137.99.80.129]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics:
1;BN7PR05MB4449;6:nKkt5wKtK38K9T6bN64MOaUH8Z2N+9kvvRPOywkgsuj5Qv1M3oEr9fH2zRSEaROfuqmbB/eyo038nlzeoVrRrCjDft5nSq3CixY2cy0rBgz6PZuUmwXQweRpXdSIm2mOxWjLGNM+2Uk2MTETvkmWBps8ywDgTsRZYMYcHuOV29sDoG2+dE+J5EilNHb/RwQLMLPjJE2YTM+VvkahgtdwkhMRZKtz4w8YITzbXViR1VXIcDdhefAjrZVqgNNhiXIZz7PxokduaRiVj8eAdFgpRvFGxQUAsyuhQOVBkltzrxvRVoTTsZGV2YoECgIXcNTQwv5SianPlRQCHQjy+bGklsPEiDVTu+D/A5F9IifDjmeVY1hAeGldMVoCFsD57xZDWQLvXKYfWfc/ZG93ugOLVVxBmNCCcIGs8QYuzPfdrT37cL/CRmLc+AloxmKEVwkN8crZZwNwylCR454I4No6oA==;5:E57okkn4ychxrqSE5PkiKvPnLSQ4aF6wOOwOBWIS/0jeS4LfixYhbPK0i0Rl24aQJrjB/qseQ8WjXsMFihqw/kuDZQDU5ZfoIUxcKFlVQg587FBfe4iY244sMQayQTg+wh43qXQ4ISaRYLNUmqCSC5Uc8rzN4Z75PGtsfxHJLGFMDFi1SSz4IlYBpoJ/z6B+vmmAaNAurBR+dMIT+d+JKw==;7:6woEt5iIWBDtngiX+pwUwtSOV0m2VZh/0waHU0Zl3Pq/Ui9094fqpu6do2udNUnieu7DiCaKwMhK00oRRd+1aXbkzqcGzJChbR1fOv+dtRrg7Vf+5zH9grT7RFHzK0yv37TmGUCWmtmQIAMf35HYyg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id:
0241aac5-5750-4e14-5bb1-08d6771b540e
x-microsoft-antispam:
BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN7PR05MB4449;
x-ms-traffictypediagnostic: BN7PR05MB4449:
x-microsoft-antispam-prvs: <
BN7PR05MB4449B374CC065ECC2143ADA998840_at_BN7PR05MB4449.namprd05.prod.outlook.com
>
x-forefront-prvs: 0913EA1D60
x-forefront-antispam-report:
SFV:NSPM;SFS:(10019020)(39860400002)(396003)(346002)(376002)(136003)(366004)(199004)(189003)(476003)(26005)(33656002)(81166006)(9686003)(102836004)(97736004)(558084003)(2906002)(256004)(7696005)(75432002)(71190400001)(8936002)(88552002)(66574012)(2351001)(7736002)(106356001)(71200400001)(25786009)(8676002)(53936002)(55016002)(1730700003)(6506007)(81156014)(186003)(105586002)(74316002)(2501003)(5640700003)(86362001)(6916009)(3480700005)(99286004)(316002)(14454004)(68736007)(478600001)(3846002)(54896002)(790700001)(6116002)(486006)(6306002)(5660300001)(7116003)(6436002)(66066001)(221733001)(786003)(217283001)(220243001)(204593002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN7PR05MB4449;H:
BN7PR05MB5859.namprd05.prod.outlook.com
;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: uconn.edu does not designate
permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info:
Ch4RJPlRG8nKhwVvAcT4AK91INGLWFCisf566PmywNp5ZsoJZGbVSu4rwt3b/rWPC+QF7m6DN1+T1n6o8Bsu3oNTqSOitwhzNRy11Wg2SinXeXk6amwlhWW5KpOnBOg1/rKr6pvQC25dbo3Rg5OazNJzzh6oq+5RdgNLu4KR26lScsFlJAoh645TockPDDviCsOg7upD7JmPsBlAx1f9acKGgk+jxF3sADfA/EaF+iXfnEHtt0GZMJjWnHzKWR+S2o2WiKAcR758dtcRbBFumljSRodw+v8NzyYY8JjuOrM7nNtIGEdf897/dnqa4xfm
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type:
multipart/alternative;boundary="_000_BN7PR05MB585923A5A2237F898E61DD3298840BN7PR05MB5859namp_"
MIME-Version: 1.0
X-OriginatorOrg: uconn.edu
X-MS-Exchange-CrossTenant-Network-Message-Id:
0241aac5-5750-4e14-5bb1-08d6771b540e
On Fri, Feb 1, 2019 at 3:33 PM Дилян Палаузов <dilyan.palauzov_at_aegee.org>
wrote:
> Update:
>
> > The DKIM-Signature suggests obtaining the DNS TXT record selector1._
> domainkey.doccs.ny.gov , but this record does not
> > exist, so OpenDKIM cannot validate DKIM-Signature.
> >
>
> Right now DNS TXT selector1._domainkey.doccs.ny.gov does exist. I don’t
> know what happened earlier, I was not able to
> retrieve the record.
>
> In any case, for this simple message:
>
> From: <m2aieium_at_doccs.ny.gov>
> Date: Thu, 31 Jan 2019 23:07:10 +0000
> Subject: A D K T200
> Message-Id: <eaiti2u_at_eiau>
> To: ****_at_aegee.org
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=doccs.ny.gov
> ;s=selector200;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-
>
> SenderADCheck;bh=nle3m1ypJwIQJcEYxNcs+Ir/fcHuMGnDz4yqI+qTars=;b=0M3G0N6YRSxSUP9QdLY5O9boBg+AxQf48/z10u8TgBHEYO4GJfEUoedS
>
> H4qteMfrHDw+IQhpV+dRkv+pk0ggaxMkaWVgzGutk+NiZoRzpYoRCjcJwuCs2pRcqNpScxd/LseV2AnrAfBRi3W7Xs8ExaYN6H0Dcbm2zHqmU6oDf/k=
>
> A B C 99200
>
>
>
>
> DNS TXT selector200._domainkey.doccs.ny.gov does not exist, and on my
> system OpenDKIM adds:
>
>
> Authentication-Results: mail.aegee.org/x11KMGTC013169; dkim=fail
> reason="key not found in DNS" header.d=doccs.ny.gov header.i=_at_
> doccs.ny.gov
> header.a=rsa-sha256 header.s=selector200 header.b=0M3G0N6Y
>
> So my assumption, that OpenDKIM forgets inserting AR header, when the key
> is missing from DNS, was not verified. Why
> there is no AR-header from OpenDKIM in your sample I cannot say, but this
> is significant.
>
> OpenDKIM behaves correctly even if the non-existent domain blub.ny.gov is
> used.
>
> Regards
> Дилян
>
>
>
Received on Fri Feb 01 2019 - 21:00:07 PST
This archive was generated by hypermail 2.3.0
: Sat Feb 02 2019 - 06:00:00 PST