Dkim signing is failing (according to spamassassin) and I need details to solve it

dkimdomain-name-systememailspamassassin

I am using qmail and libdkimtest to sign outgoing emails. The setup is almost exactly as per this tutorial (http://patchlog.com/security/qmail-and-dkim/).

Emails I send out have a signature added, and it looks fine to me however, spamassassin reports:

X-Spam-Report: 
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *      valid
    *  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

I've added the DNS records exactly as many tutorials suggest. I've tested the DNS with http://www.sendmail.org/dkim/checker and it doesn't report any problems, and displays the public key correctly.

I would like to get more detailed errors in order to figure out why spamassassin says it isn't valid.

Thanks.

Best Answer

Send an email from that server to this address autorespond+dkim@dk.elandsys.com it will give you a report on why the verification is failing.

Related Solutions

DKIM and Request-Tracker Headers

Going to post a semi-answer here in case anybody ever runs into a similar issue and finds this via search.

I was not able to solve this problem while using the relaxed header canonicalization for DKIM signing within exim. I took example messages that were being generated by my RT and whose signatures were failing at both Gmail and Yahoo mail, and then tested them like this:

I used PHP to implement the DKIM signing algorithm as specified in the docs (http://www.dkim.org/specs/rfc4871-dkimbase.html). When I ran my message through it with relaxed/relaxed I produced the same body hash but a different message signature than my exim was producing.
I used PHP to implement the DKIM verification algorithm, then took the source of the messages as received by Gmail and Yahoo Mail and ran it through, producing identical results. I also ran messages through that had not been generated by my Request Tracker but had gone through my exim, and they were correctly passed in my verify test, just as they had on Gmail and Yahoo Mail (the purpose of this was to prove that my keys and other configuration were working properly outside of the context of RT, which they seem to be).
At this point I figured that there is either a bug or misconfiguration in the way my exim is handling DKIM signing in relaxed/relaxed. I downloaded the source for the PDKIM library that exim uses ([https://github.com/duncanthrax/pdkim]), compiled it, and then modified the testing examples to match my keys, settings, and test messages. After running the tests, I produced the same results as my PHP implementation: same hashes, same signatures.

That left me with one last option, which was to mess with the source of exim to try to determine what specific scenario was causing the message signature to change. However, I'd kind of hit my limit on how much time I wanted to spend on this.

The simple solution was to change my exim config back to simple canonicalization, which resulted in both Gmail and Yahoo Mail passing the dkim verify for messages generated by my Request Tracker. Not what I wanted, but good enough for now.

Debian – Exim doesn’t want to do DKIM signing correctly

Although I'm still not sure why isn't $sender_address correctly populated, I found a workaround solution to my problem using another variable:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

This sets the domain name correctly on the DKIM signature.

To stop signing domains I don't have a key for, I've set up two other macros:

DKIM_FILE = /etc/exim4/keys/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

These essentially just look for a private key in /etc/exim4/keys/*domain*.pem and won't sign if it doesn't exist.

Best Answer

Related Solutions

DKIM and Request-Tracker Headers

Debian – Exim doesn’t want to do DKIM signing correctly

Related Topic