Re: When TXT selector._domainkey… is missing, OpenDKIM still adds AR-header

From: Дилян Палаузов <dilyan.palauzov_at_aegee.org>
Date: Fri, 01 Feb 2019 21:29:02 +0000

Hello,

you can hire some support to make your system running reliably.

The snippet says: “dkim=fail reason="signature verification failed" (1024-bit key)”. Obviously, as next you have to
obtain the problematic message and verify whether the problem is in the signer or verifier, e.g. by using different
verifiers. If you do not have access to the message, as you wrote, then you cannot verify whether the problem is with
the signer or the verifier.

C'est la vie… some employers prefer to have broken systems, rather than empowering their employees, or just mistrust the
employees or alike…. Under these circumstances at your place I wouldn’t consider the inconsistencies as my problem.

Regards
  Дилян

On Fri, 2019-02-01 at 15:59 -0500, Ken wrote:
> > So my assumption, that OpenDKIM forgets inserting AR header, when the key is missing from DNS, was not verified. Why
> > there is no AR-header from OpenDKIM in your sample I cannot say, but this is significant.
>
> We're crossing paths on this because of the delay but here it goes ;)
>
> As I indicated in my earlier reply, the headers are from a message while it was being held (quarantined) by the server "before" being delivered.
> It's possible the header you're looking for may be applied when approved for delivery.
>
> > Below is another sample from the same service (Microsoft, etc) sent to me by a user on this board while he and I were doing some testing.
> >
> > We found that if he used the Microsoft service DKIM would fail, however if he used his mail server DKIM passed
> > Note: This message was delivered without being held (due to policy), and the second AR header field is present
> >
>
> Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710108.outbound.protection.outlook.com [40.107.71.108])by weaver.campbus.com (8.14.9/8.14.9) with ESMTP id x0AGldjp021472(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL)for <local_user_at_campbus.com>; Thu, 10 Jan 2019 11:47:40 -0500
> Authentication-Results: weaver.campbus.com; dmarc=none (p=none dis=none) header.from=uconn.edu
> Authentication-Results: weaver.campbus.com; dkim=fail reason="signature verification failed" (1024-bit key) header.d=uconn.onmicrosoft.com header.i=_at_uconn.onmicrosoft.com header.b=JTRDdrro
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uconn.onmicrosoft.com;s=selector1-uconn-edu;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=jrQocrYayNqxfudi2KWXyPQ2VABwKdRpOONJeqGuLlQ=;b=JTRDdrroZz1C9ykhj/io8eg8FknVZ3bV3lQulln2Bqw1yE95RRVFpsBIoqdFb1sRUxD+FNLQTcuynTNa47la4GCi8Urd8Rvu+ec2UVq0fpir7kmLswBkr2v/XW9x3F3dfFNrzTy2fhoO0GZ8i9xVkDz54KDhAU/V2JDxCUMUtYY=
> Received: from BN7PR05MB5859.namprd05.prod.outlook.com (20.176.30.82) byBN7PR05MB4449.namprd05.prod.outlook.com (52.135.248.17) with Microsoft SMTPServer (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id15.20.1516.7; Thu, 10 Jan 2019 16:47:37 +0000
> Received: from BN7PR05MB5859.namprd05.prod.outlook.com([fe80::99b7:f248:10c:8ff8]) by BN7PR05MB5859.namprd05.prod.outlook.com([fe80::99b7:f248:10c:8ff8%3]) with mapi id 15.20.1516.015; Thu, 10 Jan 2019 16:47:37 +0000
> Thread-Topic: testg
> Thread-Index: AdSpBC7CFkywVB+dSISKqOIFCseymg==
> Date: Thu, 10 Jan 2019 16:47:37 +0000
> Message-ID: <BN7PR05MB585923A5A2237F898E61DD3298840_at_BN7PR05MB5859.namprd05.prod.outlook.com>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> authentication-results: spf=none (sender IP is )
> smtp.mailfrom=xxxxxx_at_uconn.edu;
> x-originating-ip: [137.99.80.129]
> x-ms-publictraffictype: Email
> x-microsoft-exchange-diagnostics: 1;BN7PR05MB4449;6:nKkt5wKtK38K9T6bN64MOaUH8Z2N+9kvvRPOywkgsuj5Qv1M3oEr9fH2zRSEaROfuqmbB/eyo038nlzeoVrRrCjDft5nSq3CixY2cy0rBgz6PZuUmwXQweRpXdSIm2mOxWjLGNM+2Uk2MTETvkmWBps8ywDgTsRZYMYcHuOV29sDoG2+dE+J5EilNHb/RwQLMLPjJE2YTM+VvkahgtdwkhMRZKtz4w8YITzbXViR1VXIcDdhefAjrZVqgNNhiXIZz7PxokduaRiVj8eAdFgpRvFGxQUAsyuhQOVBkltzrxvRVoTTsZGV2YoECgIXcNTQwv5SianPlRQCHQjy+bGklsPEiDVTu+D/A5F9IifDjmeVY1hAeGldMVoCFsD57xZDWQLvXKYfWfc/ZG93ugOLVVxBmNCCcIGs8QYuzPfdrT37cL/CRmLc+AloxmKEVwkN8crZZwNwylCR454I4No6oA==;5:E57okkn4ychxrqSE5PkiKvPnLSQ4aF6wOOwOBWIS/0jeS4LfixYhbPK0i0Rl24aQJrjB/qseQ8WjXsMFihqw/kuDZQDU5ZfoIUxcKFlVQg587FBfe4iY244sMQayQTg+wh43qXQ4ISaRYLNUmqCSC5Uc8rzN4Z75PGtsfxHJLGFMDFi1SSz4IlYBpoJ/z6B+vmmAaNAurBR+dMIT+d+JKw==;7:6woEt5iIWBDtngiX+pwUwtSOV0m2VZh/0waHU0Zl3Pq/Ui9094fqpu6do2udNUnieu7DiCaKwMhK00oRRd+1aXbkzqcGzJChbR1fOv+dtRrg7Vf+5zH9grT7RFHzK0yv37TmGUCWmtmQIAMf35HYyg==
> x-ms-exchange-antispam-srfa-diagnostics: SOS;
> x-ms-office365-filtering-correlation-id: 0241aac5-5750-4e14-5bb1-08d6771b540e
> x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN7PR05MB4449;
> x-ms-traffictypediagnostic: BN7PR05MB4449:
> x-microsoft-antispam-prvs: <BN7PR05MB4449B374CC065ECC2143ADA998840_at_BN7PR05MB4449.namprd05.prod.outlook.com>
> x-forefront-prvs: 0913EA1D60
> x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39860400002)(396003)(346002)(376002)(136003)(366004)(199004)(189003)(476003)(26005)(33656002)(81166006)(9686003)(102836004)(97736004)(558084003)(2906002)(256004)(7696005)(75432002)(71190400001)(8936002)(88552002)(66574012)(2351001)(7736002)(106356001)(71200400001)(25786009)(8676002)(53936002)(55016002)(1730700003)(6506007)(81156014)(186003)(105586002)(74316002)(2501003)(5640700003)(86362001)(6916009)(3480700005)(99286004)(316002)(14454004)(68736007)(478600001)(3846002)(54896002)(790700001)(6116002)(486006)(6306002)(5660300001)(7116003)(6436002)(66066001)(221733001)(786003)(217283001)(220243001)(204593002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN7PR05MB4449;H:BN7PR05MB5859.namprd05.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
> received-spf: None (protection.outlook.com: uconn.edu does not designate permitted sender hosts)
> x-ms-exchange-senderadcheck: 1
> x-microsoft-antispam-message-info: Ch4RJPlRG8nKhwVvAcT4AK91INGLWFCisf566PmywNp5ZsoJZGbVSu4rwt3b/rWPC+QF7m6DN1+T1n6o8Bsu3oNTqSOitwhzNRy11Wg2SinXeXk6amwlhWW5KpOnBOg1/rKr6pvQC25dbo3Rg5OazNJzzh6oq+5RdgNLu4KR26lScsFlJAoh645TockPDDviCsOg7upD7JmPsBlAx1f9acKGgk+jxF3sADfA/EaF+iXfnEHtt0GZMJjWnHzKWR+S2o2WiKAcR758dtcRbBFumljSRodw+v8NzyYY8JjuOrM7nNtIGEdf897/dnqa4xfm
> spamdiagnosticoutput: 1:99
> spamdiagnosticmetadata: NSPM
> Content-Type: multipart/alternative;boundary="_000_BN7PR05MB585923A5A2237F898E61DD3298840BN7PR05MB5859namp_"
> MIME-Version: 1.0
> X-OriginatorOrg: uconn.edu
> X-MS-Exchange-CrossTenant-Network-Message-Id: 0241aac5-5750-4e14-5bb1-08d6771b540e
>
>
> On Fri, Feb 1, 2019 at 3:33 PM Дилян Палаузов <dilyan.palauzov_at_aegee.org> wrote:
> > Update:
> >
> > > The DKIM-Signature suggests obtaining the DNS TXT record selector1._domainkey.doccs.ny.gov , but this record does not
> > > exist, so OpenDKIM cannot validate DKIM-Signature.
> > >
> >
> > Right now DNS TXT selector1._domainkey.doccs.ny.gov does exist. I don’t know what happened earlier, I was not able to
> > retrieve the record.
> >
> > In any case, for this simple message:
> >
> > From: <m2aieium_at_doccs.ny.gov>
> > Date: Thu, 31 Jan 2019 23:07:10 +0000
> > Subject: A D K T200
> > Message-Id: <eaiti2u_at_eiau>
> > To: ****_at_aegee.org
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> > d=doccs.ny.gov;s=selector200;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-
> > SenderADCheck;bh=nle3m1ypJwIQJcEYxNcs+Ir/fcHuMGnDz4yqI+qTars=;b=0M3G0N6YRSxSUP9QdLY5O9boBg+AxQf48/z10u8TgBHEYO4GJfEUoedS
> > H4qteMfrHDw+IQhpV+dRkv+pk0ggaxMkaWVgzGutk+NiZoRzpYoRCjcJwuCs2pRcqNpScxd/LseV2AnrAfBRi3W7Xs8ExaYN6H0Dcbm2zHqmU6oDf/k=
> >
> > A B C 99200
> >
> >
> >
> >
> > DNS TXT selector200._domainkey.doccs.ny.gov does not exist, and on my system OpenDKIM adds:
> >
> >
> > Authentication-Results: mail.aegee.org/x11KMGTC013169; dkim=fail
> > reason="key not found in DNS" header.d=doccs.ny.gov header.i=_at_doccs.ny.gov
> > header.a=rsa-sha256 header.s=selector200 header.b=0M3G0N6Y
> >
> > So my assumption, that OpenDKIM forgets inserting AR header, when the key is missing from DNS, was not verified. Why
> > there is no AR-header from OpenDKIM in your sample I cannot say, but this is significant.
> >
> > OpenDKIM behaves correctly even if the non-existent domain blub.ny.gov is used.
> >
> > Regards
> > Дилян
> >
> >
Received on Fri Feb 01 2019 - 21:29:24 PST