Postfix + opendkim: “Sender:” and “Message-Id” fields not included in signature

postfix

I got postfix and opendkim running. postfix communicates with opendkim via unix sockets. All this works as long as I don't add some special mail header fields to the list of fields that opendkim should sign.

postfix configuration:

main.cf:

...
smtpd_milters = unix:/var/spool/postfix/milter/opendkim

non_smtpd_milters = unix:/var/spool/postfix/milter/opendkim
...

In my opendkim.conf I have this entry:

...
AlwaysSignHeaders      To,Subject,MIME-Version,Content-Type,Sender,From,Message-Id,Date,Reply-To,List-Unsubscribe
...

If I send an email with the postfix sendmail command like this

sendmail -f myenvelopefrom@mydomain.com -i -t <<EOF
From: me@mydomain.com
Sender: postmaster@mydomain.com
To: testaccount@gmail.com
Subject: Test

Test
EOF

Gmail will inform me:

dkim=hardfail

Using the

Diagnostics true

entry in opendkim.conf it revealed via the "z=…" debug mail header entry that opendkim didn't include the "Message-Id" and "Sender" fields in the signature but reported the inclusion with the 

h=From:To:Subject:Date:MIME-Version:Content-Type:Sender:Reply-To:List-Unsubscribe;

mail header entry.

Digging into this I found out that when I remove the Message-Id and Sender fields from the "AlwaysSignHeaders" entry in opendkim.conf than Gmail is happy again.

Because I send mail with the sendmail command I can be certain that at least the "Sender:" field has to be available to postfix and opendkim right from the start.

So if opendkim will use all header fields that it gets than this means postfix is not giving opendkim all header fields.
I tried to verify this by switching on verbose logging for the "cleanup" and "trivial-rewrite" processes of postfix, but I have to admit that I don't see anything useful in the logs, particularly I can't extract the information which mail header fields postfix is providing to opendkim. If anyone can make use of it I can post these logs here …

I'm running out of ideas, so I hope someone can give me some useful pointers …

Best Answer

I found out the reason (with help of the kind guys of the opendkim mailing list):

In my opendkim.conf file I had only the field

AlwaysSignHeaders       From,Sender,To,CC,Subject,Message-Id,Date

specified. It turned out that you need to add the SignHeaders field too, so now the config looks like:

...
SignHeaders             From,Sender,To,CC,Subject,Message-Id,Date
AlwaysSignHeaders       From,Sender,To,CC,Subject,Message-Id,Date
...

that's it.

Edit:

The folks from opendkim noted that AlwaysSignHeaders is deprecated, OversignHeaders should be used instead.

Related Topic