ESF and DKIM check

Tod

Verified User
Joined
Jun 12, 2011
Messages
10
Hello,

i have investigated today a weird issue of one of our clients, that did not received messages sent from another user from Office 365.
In the log i have found that messages was blocked by ESF:

2018-03-21 10:19:01 1eyZtd-0009DX-PY H=dev.xxxx.com (web1.xxxx.com) [xxx.xxx.xxx.201] Warning: DKIM: Failed. reason='bodyhash_mismatch'
2018-03-21 10:19:02 1eyZtd-0009DX-PY H=dev.xxxx.com (web1.xxxx.com) [xxx.xxx.xxx.201] F=<[email protected]> rejected after DATA: Your message to <[email protected]> was classified as SPAM. Please add more content, cut down on HTML links, use fewer naughty words etc. Also, ask your IT dept to make sure your mailserver has REVERSEDNS, SPF, DKIM, and is not on any black lists. Your score: 120

In the latest default ESF config the related scores are configured in this way:
EASY_HIGH_SCORE_DROP = 100
EASY_DKIM_PASS = -20
EASY_DKIM_FAIL = 100

As you see, if the DKIM check fails then the message will be most likely dropped.

The DKIM RFC in section 6.1 (https://tools.ietf.org/html/rfc6376#section-6) states, that:
"Survivability of signatures after transit is not guaranteed, and
signatures can fail to verify through no fault of the Signer.
Therefore, a Verifier SHOULD NOT treat a message that has one or more
bad signatures and no good signatures differently from a message with
no signature at all."

Based on RFC, if the DKIM check fails, than it should be treated as a message without a DKIM signature, so it seems to me, that the value of EASY_DKIM_FAIL in ESF config is too high.

I have found few references regarding this issue:
https://blogs.msdn.microsoft.com/tzink/2015/10/08/manually-hooking-up-dkim-signing-in-office-365/

What dou you think? What should be the reasonable value of the EASY_DKIM_FAIL field?

Thanks,
T.
 
Hello,

That's your server and your client. If you think the value is too high, either set EASY_DKIM_FAIL lower or change EASY_HIGH_SCORE_DROP to a higher value.
 
Hello,

That's your server and your client. If you think the value is too high, either set EASY_DKIM_FAIL lower or change EASY_HIGH_SCORE_DROP to a higher value.

Hi, hello, thanks for the reply. I already lowered EASY_DKIM_FAIL value to 20. Just tought to give feedback, that imho the defaults aren't correct, because it can trigger false positives that's not in comply with the rfc, that's all.
 
Back
Top