DKIM => Signature Did Not Verify

Albert

Verified User
Joined
Oct 25, 2019
Messages
33
DKIM => Signature Did Not Verify DKIM => NOT Authenticated

This DKIM problem will probably concern a lot people, it looks like a TLS problem with the method of DA to verify the DKIM Key

Do not confuse MXTools DKIM test which report ONLY 3 lignes :
- DKIM Record Published
- DKIM Syntax Check
- DKIM Public Key Check

With MXTools deliverability which report much more things about DKIM with 11 lignes :
NOT OK 1- DKIM Signature Verified SIGNATURE DID NOT VERIFY
2- DNS Record Published DNS Record found
3- DKIM Record Published DKIM Record found
4- DKIM Syntax Check The record is valid
5- DKIM Public Key Check Public key is present
6- DKIM Signature Syntax Check The signature is valid
7- DKIM Signature Identifier Match Signature domain match
8- DKIM Signature Alignment Signature domain in alignment.
9- DKIM Signature Duplicate Tags Signature tags are unique
10- DKIM Signature Expiration The signature is not expired
11- DKIM Signature Body Hash Verified

With this test you will probably get this
screenshot-2019-11-01-2.jpg

Apparently that's TLS problems, DKIM is OK but not Authenticated correctly !

That's perfect config for make landing emails directly in the spam box of the users : Gmail and Microsoft Exchange, but NOT for the best email deliverability.

Dkim have been activate with DA by this tutorial (dkim=2 setting)

PLEASE someboby can give me a feedback with this test just above
Do you get the same result with DKIM DID NOT Authenticated
 
Last edited:

Albert

Verified User
Joined
Oct 25, 2019
Messages
33
My Header is like that

Received: from [1.0.146.43] (helo=[192.168.2.4])
by server.domain.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.92.3)
(envelope-from <postmaster@domain-sender.com>)
id 1iNtVU-0003VA-1s
for info@domain-receiver.com; Fri, 25 Oct 2019 08:55:32 +0200

And in /etc/exim.dkim.conf file I have :

Code:
#1.3
  dkim_domain = ${if eq{${lc:${domain:$h_from:}}}{}{$primary_hostname}{${lc:${domain:$h_from:}}}}
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/${lc:${domain:$h_from:}}/dkim.private.key} \
                        {/etc/virtual/${lc:${domain:$h_from:}}/dkim.private.key} \
                        {${if eq{${lc:${domain:$h_from:}}}{} \
                                {/etc/virtual/$primary_hostname/dkim.private.key} \
                                {0} \
                        }} \
                     }
  dkim_canon = relaxed
  dkim_strict = 0
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,889
Location
GMT +7.00
Whenever I test sending emails, @Gmail reports dkim=pass and postmarkapp which I use for DMARC reports does not alert about failed DKIM-singed emails from my DirectAdmin powered server.

At the same MXTools deliverability reports the same issue. I might think the MXTools have a bug. Not too sure yet.
 

Albert

Verified User
Joined
Oct 25, 2019
Messages
33
Whenever I test sending emails, @Gmail reports dkim=pass and postmarkapp which I use for DMARC reports does not alert about failed DKIM-singed emails from my DirectAdmin powered server.
MXTools DKIM as well will not give any error, it will report OK same as your testers because the checking is done for only 3 steps :
- DKIM Record Published
- DKIM Syntax Check
- DKIM Public Key Check

At the same MXTools deliverability reports the same issue. I might think the MXTools have a bug. Not too sure yet.
Thanks for your feedback, we can see the same Errors.
I made this same test (MXTools deliverability) from an email address which is not managed by DA and I do not get any error and pass the full 11 checks.

screenshot.2019-11-02.jpg

If this Tools have a bug that's only with DA :)
 
Last edited:

Albert

Verified User
Joined
Oct 25, 2019
Messages
33
Actually I don't understand what they check?
Apparently they are checking the standart of RFC 6376 page 64 | 65....

If the header is not in accordance with the rules of RFC 6376, it return "Signature Did Not Verify"


Apparently DA is in this case...but not sure yet, first we need to investigate... For the moment, let's continue to consider this bug is from Mxtools only with Directadmin, even if it do not appear with the others Management Panels.

which does not explain anything at all.
I found this page from Mxtools and they give more information about "DKIM authentication"

I found as well a lot of complain about that with Google

So to investigate :
I used an email box managed by PL...
I used an email box managed by DA

Here the header result which Pass MXTools deliverability with Pl...
Code:
From OK@domain-DKIM-OK.com  Sun Nov  3 03:32:31 2019
Return-Path: <OK@domain-DKIM-OK.com>
X-Original-To: ping@tools.mxtoolbox.com
Delivered-To: tools@tools.mxtoolbox.com
Received: from domain-DKIM-OK.com (domain-DKIM-OK.com [12.345.67.89])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tools.mxtoolbox.com (Postfix) with ESMTPS id 78191B5D34
	for <ping@tools.mxtoolbox.com>; Sun,  3 Nov 2019 03:32:31 +0000 (UTC)
Received: from [192.168.1.3] (unknown [117.153.183.178])
	by hr790621887.reseller.mis.ovh.net (Postfix) with ESMTPSA id 41D67607C1
	for <ping@tools.mxtoolbox.com>; Sun,  3 Nov 2019 03:34:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=domain-DKIM-OK.com; s=default; t=1572752083;
	bh=LblSjC8lppEPvZEXSqGkNk/r0lzcpZsoXtehT0XYxhI=; l=6296;
	h=To:From:Subject;
	b=I17QqDBZrYO9C7l1lIKQcbs2AQrT3z4bw5/7JLjn1RcN1Wo1tHsY47P6iy2VEe9vG
	 r4/bx2N5bwYY/OX/lkfLROirbVzjgwAaZhcL49CZ/g1LIjuHXyDVu7rD5vPv4ABq+t
	 6dHDDU/FeDi8Mhp4B3jNCzui9nwQkxG2OUmbAbdI=
Reply-To: OK@domain-DKIM-OK.com
To: ping@tools.mxtoolbox.com
From: ME <OK@domain-DKIM-OK.com>
Subject: test 1 MXTools deliverability
Organization: ME
Message-ID: <d2e0a9df-e83a-fc66-5ec0-b25918816320@domain-DKIM-OK.com>
Date: Sun, 3 Nov 2019 04:32:25 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------0AA5A43D033794E2212C4F7F"
Content-Language: fr

This is a multi-part message in MIME format.
--------------0AA5A43D033794E2212C4F7F
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Result OK
MXTools deliverability


--------------0AA5A43D033794E2212C4F7F
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

PGh0bWw+DQogIDxoZWFkPg0KDQogICAgPG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBl
IiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPg0KICA8L2hlYWQ+DQogIDxi
b2R5IHRleHQ9IiMwMDAwMDAiIGJnY29sb3I9IiNGRkZGRkYiPg0KICAgIDxwPnRlc3QgMSBh
Y2hhdCB0Zjxicj4NCiAgICA8L3A+DQogICAgPGRpdiBjbGFzcz0ibW96LXNpZ25hdHVyZSI+
LS0gPGJyPg0KICAgICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPg0KICAgICAgPG1ldGEgY29u
dGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEiDQogICAgICAgIG5h
bWU9InZpZXdwb3J0Ij4NCiAgICAgIDxtZXRhIG5hbWU9IngtYXBwbGUtZGlzYWJsZS1tZXNz
ZGRlbiB7DQoJZGlzcGxheTpub25lOw0KCWZsb2F0OmxlZnQ7DQoJb3ZlcmZsb3c6aGlkZGVu
Ow0KCXdpZHRoOjA7DQoJbWF4LWhlaWdodDowOw0KCWxpbmUtaGVpZ2h0OjA7DQoJbXNvLWhp
ZGU6YWxsOw0KfQ0KPC9zdHlsZT4NCiAgICAgIDxkaXYgY2xhc3M9ImVzLXdyYXBwZXItY29s
b3IiIHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOiNGRkZGRkY7Ij4NCiAgICAgICAgPCEtLVtp
ZiBndGUgbXNvIDldPg0KCQkJPHY6YmFja2dyb3VuZCB4bWxuczp2PSJ1cm46c2NoZW1hcy1t
aWNyb3NvZnQtY29tOnZtbCIgZmlsbD0idCI+DQoJCQkJPHY6ZmlsbCB0eXBlPSJ0aWxlIiBj
b2xvcj0iI2ZmZmZmZiI+PC92OmZpbGw+DQoJCQk8L3Y6YmFja2dyb3VuZD4NCgkJPCFbZW5k
aWZdLS0+PGJyPg0KICAgICAgPC9kaXY+DQogICAgPC9kaXY+DQogIDwvYm9keT4NCjwvaHRt
bD4NCg==
--------------0AA5A43D033794E2212C4F7F--
And Here the header result which NOT pass MXTools deliverability with DirectAdmin
Code:
From WRONG@domain-DKIM-WRONG.com  Sun Nov  3 01:55:01 2019
Return-Path: <WRONG@domain-DKIM-WRONG.com>
X-Original-To: ping@tools.mxtoolbox.com
Delivered-To: tools@tools.mxtoolbox.com
Received: from mail.domain-DKIM-WRONG.com (mail.domain-DKIM-WRONG.com [98.76.543.21])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by tools.mxtoolbox.com (Postfix) with ESMTPS id 87D53B5A21
	for <ping@tools.mxtoolbox.com>; Sun,  3 Nov 2019 01:55:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain-DKIM-WRONG.com
	; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:
	Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date
	:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
	List-Owner:List-Archive; bh=UkqVVdSUkCHh3d2AfL4aVEyekUynOFwHb0lwU/MTE8A=; b=C
	yhw8h09NlOvVdIvdCLRYc/H/+e+aLk9Ky4GoeIw78SWfrY9GkFy3HUWgU1YA/wX63pg37FqgBNbId
	gdxUf/rKM0fFJzkFwgPxutAcSWdA7LUpWfQ3DnvnuCGrIGK19mmx1a81geHYXZ/nx56j1dtmi0cCp
	vOR7Hy63moOubedy/OQjV8jNsYq/6JqxA==;
Received: from [117.153.183.178] (helo=[192.168.1.3])
	by vps123456.ovh.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
	(Exim 4.92.3)
	(envelope-from <WRONG@domain-DKIM-WRONG.com>)
	id 1iR56a-0000Yn-1o
	for ping@tools.mxtoolbox.com; Sun, 03 Nov 2019 02:55:00 +0100
To: ping@tools.mxtoolbox.com
From: "WRONG@domain-DKIM-WRONG.com" <WRONG@domain-DKIM-WRONG.com>
Subject: test 2 Wrong result with MXTools deliverability
Message-ID: <a5b22889-166c-a346-9c5d-4322fa2b3129@domain-DKIM-WRONG.com>
Date: Sun, 3 Nov 2019 02:54:57 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: fr
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Authenticated-Id: WRONG@domain-DKIM-WRONG.com

test 2 Wrong result with MXTools deliverability
It seems to be a header problems, do you agree ? I saw something interresting about the header and same problems have been finally solved

Do you know where are located the code lignes for :
Code:
v=1;
a=rsa-sha256;
c=relaxed/relaxed;
d=domain.com;
s=x; 
q=dns/txt;

h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:
	Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date
	:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
I would like to make some test there and that's not in /etc/exim.dkim.conf
i didn't find these lignes

Thanks
 
Last edited:

Albert

Verified User
Joined
Oct 25, 2019
Messages
33
In some case this problem have been solved, here can be one solution, but it doesn't work for everybody !

Please avoid any confusion between "DKIM authentificated" AND "DKIM Signature did not verify" that's completely different and not the same subject...
DKIM authentificated => Refer Key DKIM
DKIM Signature did not verify => Refer to DKIM-Signature Header

So the DKIM key can be valid but NOT the DKIM Signature !

Then when you get 10/10 with this famous website "mail-tester.com" the check is done ONLY on DKIM Key and NOT on this parameter => DKIM-Signature Header

There is 11 step to check DKIM :
1- DKIM Signature Verified SIGNATURE DID NOT VERIFY
OK 2- DNS Record Published DNS Record found
OK 3- DKIM Record Published DKIM Record found
OK 4- DKIM Syntax Check The record is valid
OK 5- DKIM Public Key Check Public key is present
OK 6- DKIM Signature Syntax Check The signature is valid
OK 7- DKIM Signature Identifier Match Signature domain match
OK 8- DKIM Signature Alignment Signature domain in alignment.
OK 9- DKIM Signature Duplicate Tags Signature tags are unique
OK 10- DKIM Signature Expiration The signature is not expired
OK 11- DKIM Signature Body Hash Verified

Microsoft Exchange request this valid parameter (DKIM Signature header => SIGNATURE VERIFY => YES or NO) to do not be classified directly in the folder Spam box with your emails sent to an email Box "Microsoft Exchange" or Hotmail.
Gmail seems to be less strict and will accept your email if your DKIM key is valid !

We can get 10/10 with mail-tester.com and landing in the junk box... there is more than 1000 cases on Google search....

With DA, Dkim signature is wrong because of the header problems, if we can refer of this solution gave here which solved with some changes in the header


if you are persistent (like me :cool:) and want to do some research and share it as I doing, here are the source of Exim about DKIM Signature.
These files seem to return the wrong result that we get with the Dkim signature with DA.
Be ready to get headache :eek:
https://fossies.org/dox/exim-4.92.3/pdkim_8h_source.html
https://fossies.org/dox/exim-4.92.3/dkim_8h_source.html
DomainKeys Identified Mail (DKIM) Signatures (RFC 6376)

I found an other page about Exim : DKIM: Fix invalid signature verification issues

Cisco is talking about the DKIM Signature : Causes of DKIM Failures => Signature did not verify = 58%, that's the biggest error found and not only with DA...

The target is to get DKIM-Signature Header VALID and how to get this with DirectAdmin, and all help can be welcome...
 
Last edited:
Top