Results 1 to 3 of 3

Thread: ESF and DKIM check

  1. #1
    Join Date
    Jun 2011
    Posts
    8

    ESF and DKIM check

    Hello,

    i have investigated today a weird issue of one of our clients, that did not received messages sent from another user from Office 365.
    In the log i have found that messages was blocked by ESF:

    2018-03-21 10:19:01 1eyZtd-0009DX-PY H=dev.xxxx.com (web1.xxxx.com) [xxx.xxx.xxx.201] Warning: DKIM: Failed. reason='bodyhash_mismatch'
    2018-03-21 10:19:02 1eyZtd-0009DX-PY H=dev.xxxx.com (web1.xxxx.com) [xxx.xxx.xxx.201] F=<xxx@xxx.com> rejected after DATA: Your message to <xxx@xxx.org> was classified as SPAM. Please add more content, cut down on HTML links, use fewer naughty words etc. Also, ask your IT dept to make sure your mailserver has REVERSEDNS, SPF, DKIM, and is not on any black lists. Your score: 120

    In the latest default ESF config the related scores are configured in this way:
    EASY_HIGH_SCORE_DROP = 100
    EASY_DKIM_PASS = -20
    EASY_DKIM_FAIL = 100

    As you see, if the DKIM check fails then the message will be most likely dropped.

    The DKIM RFC in section 6.1 (https://tools.ietf.org/html/rfc6376#section-6) states, that:
    "Survivability of signatures after transit is not guaranteed, and
    signatures can fail to verify through no fault of the Signer.
    Therefore, a Verifier SHOULD NOT treat a message that has one or more
    bad signatures and no good signatures differently from a message with
    no signature at all."

    Based on RFC, if the DKIM check fails, than it should be treated as a message without a DKIM signature, so it seems to me, that the value of EASY_DKIM_FAIL in ESF config is too high.

    I have found few references regarding this issue:
    https://blogs.msdn.microsoft.com/tzi...in-office-365/

    What dou you think? What should be the reasonable value of the EASY_DKIM_FAIL field?

    Thanks,
    T.

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,198
    Hello,

    That's your server and your client. If you think the value is too high, either set EASY_DKIM_FAIL lower or change EASY_HIGH_SCORE_DROP to a higher value.

  3. #3
    Join Date
    Jun 2011
    Posts
    8
    Quote Originally Posted by zEitEr View Post
    Hello,

    That's your server and your client. If you think the value is too high, either set EASY_DKIM_FAIL lower or change EASY_HIGH_SCORE_DROP to a higher value.
    Hi, hello, thanks for the reply. I already lowered EASY_DKIM_FAIL value to 20. Just tought to give feedback, that imho the defaults aren't correct, because it can trigger false positives that's not in comply with the rfc, that's all.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •