DKIM => Signature Did Not Verify

Albert

Verified User
Joined
Oct 25, 2019
Messages
39
DKIM => Signature Did Not Verify DKIM => NOT Authenticated

This DKIM problem will probably concern a lot people, it looks like a TLS problem with the method of DA to verify the DKIM Key

Do not confuse MXTools DKIM test which report ONLY 3 lignes :
- DKIM Record Published
- DKIM Syntax Check
- DKIM Public Key Check

With MXTools deliverability which report much more things about DKIM with 11 lignes :
NOT OK 1- DKIM Signature Verified SIGNATURE DID NOT VERIFY
2- DNS Record Published DNS Record found
3- DKIM Record Published DKIM Record found
4- DKIM Syntax Check The record is valid
5- DKIM Public Key Check Public key is present
6- DKIM Signature Syntax Check The signature is valid
7- DKIM Signature Identifier Match Signature domain match
8- DKIM Signature Alignment Signature domain in alignment.
9- DKIM Signature Duplicate Tags Signature tags are unique
10- DKIM Signature Expiration The signature is not expired
11- DKIM Signature Body Hash Verified

With this test you will probably get this
screenshot-2019-11-01-2.jpg

Apparently that's TLS problems, DKIM is OK but not Authenticated correctly !

That's perfect config for make landing emails directly in the spam box of the users : Gmail and Microsoft Exchange, but NOT for the best email deliverability.

Dkim have been activate with DA by this tutorial (dkim=2 setting)

PLEASE someboby can give me a feedback with this test just above
Do you get the same result with DKIM DID NOT Authenticated
 
Last edited:

Albert

Verified User
Joined
Oct 25, 2019
Messages
39
My Header is like that

Received: from [1.0.146.43] (helo=[192.168.2.4])
by server.domain.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
(Exim 4.92.3)
(envelope-from <postmaster@domain-sender.com>)
id 1iNtVU-0003VA-1s
for info@domain-receiver.com; Fri, 25 Oct 2019 08:55:32 +0200

And in /etc/exim.dkim.conf file I have :

Code:
#1.3
  dkim_domain = ${if eq{${lc:${domain:$h_from:}}}{}{$primary_hostname}{${lc:${domain:$h_from:}}}}
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/${lc:${domain:$h_from:}}/dkim.private.key} \
                        {/etc/virtual/${lc:${domain:$h_from:}}/dkim.private.key} \
                        {${if eq{${lc:${domain:$h_from:}}}{} \
                                {/etc/virtual/$primary_hostname/dkim.private.key} \
                                {0} \
                        }} \
                     }
  dkim_canon = relaxed
  dkim_strict = 0
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,173
Location
GMT +7.00
Whenever I test sending emails, @Gmail reports dkim=pass and postmarkapp which I use for DMARC reports does not alert about failed DKIM-singed emails from my DirectAdmin powered server.

At the same MXTools deliverability reports the same issue. I might think the MXTools have a bug. Not too sure yet.
 

Albert

Verified User
Joined
Oct 25, 2019
Messages
39
Whenever I test sending emails, @Gmail reports dkim=pass and postmarkapp which I use for DMARC reports does not alert about failed DKIM-singed emails from my DirectAdmin powered server.
MXTools DKIM as well will not give any error, it will report OK same as your testers because the checking is done for only 3 steps :
- DKIM Record Published
- DKIM Syntax Check
- DKIM Public Key Check

At the same MXTools deliverability reports the same issue. I might think the MXTools have a bug. Not too sure yet.
Thanks for your feedback, we can see the same Errors.
I made this same test (MXTools deliverability) from an email address which is not managed by DA and I do not get any error and pass the full 11 checks.

screenshot.2019-11-02.jpg

If this Tools have a bug that's only with DA :)
 
Last edited:

Albert

Verified User
Joined
Oct 25, 2019
Messages
39
Actually I don't understand what they check?
Apparently they are checking the standart of RFC 6376 page 64 | 65....

If the header is not in accordance with the rules of RFC 6376, it return "Signature Did Not Verify"


Apparently DA is in this case...but not sure yet, first we need to investigate... For the moment, let's continue to consider this bug is from Mxtools only with Directadmin, even if it do not appear with the others Management Panels.

which does not explain anything at all.
I found this page from Mxtools and they give more information about "DKIM authentication"

I found as well a lot of complain about that with Google

So to investigate :
I used an email box managed by PL...
I used an email box managed by DA

Here the header result which Pass MXTools deliverability with Pl...
Code:
From OK@domain-DKIM-OK.com  Sun Nov  3 03:32:31 2019
Return-Path: <OK@domain-DKIM-OK.com>
X-Original-To: ping@tools.mxtoolbox.com
Delivered-To: tools@tools.mxtoolbox.com
Received: from domain-DKIM-OK.com (domain-DKIM-OK.com [12.345.67.89])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tools.mxtoolbox.com (Postfix) with ESMTPS id 78191B5D34
	for <ping@tools.mxtoolbox.com>; Sun,  3 Nov 2019 03:32:31 +0000 (UTC)
Received: from [192.168.1.3] (unknown [117.153.183.178])
	by hr790621887.reseller.mis.ovh.net (Postfix) with ESMTPSA id 41D67607C1
	for <ping@tools.mxtoolbox.com>; Sun,  3 Nov 2019 03:34:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=domain-DKIM-OK.com; s=default; t=1572752083;
	bh=LblSjC8lppEPvZEXSqGkNk/r0lzcpZsoXtehT0XYxhI=; l=6296;
	h=To:From:Subject;
	b=I17QqDBZrYO9C7l1lIKQcbs2AQrT3z4bw5/7JLjn1RcN1Wo1tHsY47P6iy2VEe9vG
	 r4/bx2N5bwYY/OX/lkfLROirbVzjgwAaZhcL49CZ/g1LIjuHXyDVu7rD5vPv4ABq+t
	 6dHDDU/FeDi8Mhp4B3jNCzui9nwQkxG2OUmbAbdI=
Reply-To: OK@domain-DKIM-OK.com
To: ping@tools.mxtoolbox.com
From: ME <OK@domain-DKIM-OK.com>
Subject: test 1 MXTools deliverability
Organization: ME
Message-ID: <d2e0a9df-e83a-fc66-5ec0-b25918816320@domain-DKIM-OK.com>
Date: Sun, 3 Nov 2019 04:32:25 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------0AA5A43D033794E2212C4F7F"
Content-Language: fr

This is a multi-part message in MIME format.
--------------0AA5A43D033794E2212C4F7F
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Result OK
MXTools deliverability


--------------0AA5A43D033794E2212C4F7F
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

PGh0bWw+DQogIDxoZWFkPg0KDQogICAgPG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBl
IiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPg0KICA8L2hlYWQ+DQogIDxi
b2R5IHRleHQ9IiMwMDAwMDAiIGJnY29sb3I9IiNGRkZGRkYiPg0KICAgIDxwPnRlc3QgMSBh
Y2hhdCB0Zjxicj4NCiAgICA8L3A+DQogICAgPGRpdiBjbGFzcz0ibW96LXNpZ25hdHVyZSI+
LS0gPGJyPg0KICAgICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPg0KICAgICAgPG1ldGEgY29u
dGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEiDQogICAgICAgIG5h
bWU9InZpZXdwb3J0Ij4NCiAgICAgIDxtZXRhIG5hbWU9IngtYXBwbGUtZGlzYWJsZS1tZXNz
ZGRlbiB7DQoJZGlzcGxheTpub25lOw0KCWZsb2F0OmxlZnQ7DQoJb3ZlcmZsb3c6aGlkZGVu
Ow0KCXdpZHRoOjA7DQoJbWF4LWhlaWdodDowOw0KCWxpbmUtaGVpZ2h0OjA7DQoJbXNvLWhp
ZGU6YWxsOw0KfQ0KPC9zdHlsZT4NCiAgICAgIDxkaXYgY2xhc3M9ImVzLXdyYXBwZXItY29s
b3IiIHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOiNGRkZGRkY7Ij4NCiAgICAgICAgPCEtLVtp
ZiBndGUgbXNvIDldPg0KCQkJPHY6YmFja2dyb3VuZCB4bWxuczp2PSJ1cm46c2NoZW1hcy1t
aWNyb3NvZnQtY29tOnZtbCIgZmlsbD0idCI+DQoJCQkJPHY6ZmlsbCB0eXBlPSJ0aWxlIiBj
b2xvcj0iI2ZmZmZmZiI+PC92OmZpbGw+DQoJCQk8L3Y6YmFja2dyb3VuZD4NCgkJPCFbZW5k
aWZdLS0+PGJyPg0KICAgICAgPC9kaXY+DQogICAgPC9kaXY+DQogIDwvYm9keT4NCjwvaHRt
bD4NCg==
--------------0AA5A43D033794E2212C4F7F--
And Here the header result which NOT pass MXTools deliverability with DirectAdmin
Code:
From WRONG@domain-DKIM-WRONG.com  Sun Nov  3 01:55:01 2019
Return-Path: <WRONG@domain-DKIM-WRONG.com>
X-Original-To: ping@tools.mxtoolbox.com
Delivered-To: tools@tools.mxtoolbox.com
Received: from mail.domain-DKIM-WRONG.com (mail.domain-DKIM-WRONG.com [98.76.543.21])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by tools.mxtoolbox.com (Postfix) with ESMTPS id 87D53B5A21
	for <ping@tools.mxtoolbox.com>; Sun,  3 Nov 2019 01:55:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain-DKIM-WRONG.com
	; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:
	Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date
	:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
	List-Owner:List-Archive; bh=UkqVVdSUkCHh3d2AfL4aVEyekUynOFwHb0lwU/MTE8A=; b=C
	yhw8h09NlOvVdIvdCLRYc/H/+e+aLk9Ky4GoeIw78SWfrY9GkFy3HUWgU1YA/wX63pg37FqgBNbId
	gdxUf/rKM0fFJzkFwgPxutAcSWdA7LUpWfQ3DnvnuCGrIGK19mmx1a81geHYXZ/nx56j1dtmi0cCp
	vOR7Hy63moOubedy/OQjV8jNsYq/6JqxA==;
Received: from [117.153.183.178] (helo=[192.168.1.3])
	by vps123456.ovh.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
	(Exim 4.92.3)
	(envelope-from <WRONG@domain-DKIM-WRONG.com>)
	id 1iR56a-0000Yn-1o
	for ping@tools.mxtoolbox.com; Sun, 03 Nov 2019 02:55:00 +0100
To: ping@tools.mxtoolbox.com
From: "WRONG@domain-DKIM-WRONG.com" <WRONG@domain-DKIM-WRONG.com>
Subject: test 2 Wrong result with MXTools deliverability
Message-ID: <a5b22889-166c-a346-9c5d-4322fa2b3129@domain-DKIM-WRONG.com>
Date: Sun, 3 Nov 2019 02:54:57 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: fr
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Authenticated-Id: WRONG@domain-DKIM-WRONG.com

test 2 Wrong result with MXTools deliverability
It seems to be a header problems, do you agree ? I saw something interresting about the header and same problems have been finally solved

Do you know where are located the code lignes for :
Code:
v=1;
a=rsa-sha256;
c=relaxed/relaxed;
d=domain.com;
s=x; 
q=dns/txt;

h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:
	Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date
	:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
I would like to make some test there and that's not in /etc/exim.dkim.conf
i didn't find these lignes

Thanks
 
Last edited:

Albert

Verified User
Joined
Oct 25, 2019
Messages
39
In some case this problem have been solved, here can be one solution, but it doesn't work for everybody !

Please avoid any confusion between "DKIM authentificated" AND "DKIM Signature did not verify" that's completely different and not the same subject...
DKIM authentificated => Refer Key DKIM
DKIM Signature did not verify => Refer to DKIM-Signature Header

So the DKIM key can be valid but NOT the DKIM Signature !

Then when you get 10/10 with this famous website "mail-tester.com" the check is done ONLY on DKIM Key and NOT on this parameter => DKIM-Signature Header

There is 11 step to check DKIM :
1- DKIM Signature Verified SIGNATURE DID NOT VERIFY
OK 2- DNS Record Published DNS Record found
OK 3- DKIM Record Published DKIM Record found
OK 4- DKIM Syntax Check The record is valid
OK 5- DKIM Public Key Check Public key is present
OK 6- DKIM Signature Syntax Check The signature is valid
OK 7- DKIM Signature Identifier Match Signature domain match
OK 8- DKIM Signature Alignment Signature domain in alignment.
OK 9- DKIM Signature Duplicate Tags Signature tags are unique
OK 10- DKIM Signature Expiration The signature is not expired
OK 11- DKIM Signature Body Hash Verified

Microsoft Exchange request this valid parameter (DKIM Signature header => SIGNATURE VERIFY => YES or NO) to do not be classified directly in the folder Spam box with your emails sent to an email Box "Microsoft Exchange" or Hotmail.
Gmail seems to be less strict and will accept your email if your DKIM key is valid !

We can get 10/10 with mail-tester.com and landing in the junk box... there is more than 1000 cases on Google search....

With DA, Dkim signature is wrong because of the header problems, if we can refer of this solution gave here which solved with some changes in the header


if you are persistent (like me :cool:) and want to do some research and share it as I doing, here are the source of Exim about DKIM Signature.
These files seem to return the wrong result that we get with the Dkim signature with DA.
Be ready to get headache :eek:
https://fossies.org/dox/exim-4.92.3/pdkim_8h_source.html
https://fossies.org/dox/exim-4.92.3/dkim_8h_source.html
DomainKeys Identified Mail (DKIM) Signatures (RFC 6376)

I found an other page about Exim : DKIM: Fix invalid signature verification issues

Cisco is talking about the DKIM Signature : Causes of DKIM Failures => Signature did not verify = 58%, that's the biggest error found and not only with DA...

The target is to get DKIM-Signature Header VALID and how to get this with DirectAdmin, and all help can be welcome...
 
Last edited:

mucek4

New member
Joined
Jan 17, 2020
Messages
4
Thank god it's only 2 months old thread. I think I have found the bug on MxToolBox.

From section 3.7. Computing the Message Hashes of the RFC:
In hash step 2, the Signer/Verifier MUST pass the following to the
hash algorithm in the indicated order.

1. The header fields specified by the "h=" tag, in the order
specified in that tag, and canonicalized using the header
canonicalization algorithm specified in the "c=" tag. Each
header field MUST be terminated with a single CRLF.

2. The DKIM-Signature header field that exists (verifying) or will
be inserted (signing) in the message, with the value of the "b="
tag (including all surrounding whitespace) deleted (i.e., treated
as the empty string), canonicalized using the header
canonicalization algorithm specified in the "c=" tag, and without
a trailing CRLF.

However my MTA (exim) the last tag "b=" appends with semicolon. If this semicolon is removed and modified header sent to MxToolBox, it's accepted with all 4 ticks green. But according to RFC it should be "treated as the empty string" so in my opinion semicolon shall remain.

I even found exim line of code https://github.com/Exim/exim/blob/master/src/src/pdkim/pdkim.c#L1320 where they say "add trailing semicolon: I'm not sure if this is actually needed"

Oh well. I'll send feedback email to MxToolBox to see what they reply.

You can also try your servers against check-auth@verifier.port25.com - they reply back with a lot of data.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,396
Location
Maastricht
I'm getting curious.

I don't have that issue, or is that fixed with the latest exim.conf update? However I doubt that.

When checking with mxtoolbox i always had 4 greens. Always use my domain name with the x as selector.
Just tried with an email to check-auth what you aid, and also there everything including DKIM is pass.

So what line exactly should be wrong? I don't understand.

Ah I see when using the extended report via email from mxtoolbox it indeed throws an error.
DKIM-Signature Not Verified

Luckily I always test with multple sites so also with the DNS checking sites sometimes there are issues. In this case a mxtoolbox bug indeed, looks like.
 

mucek4

New member
Joined
Jan 17, 2020
Messages
4
Ok. I have created a new key with new selector mxtoolbox and posted it to my test domain cycki.cf
You can check it here https://mxtoolbox.com/SuperTool.aspx?action=dkim:cycki.cf:mxtoolbox&run=toolpage or

Now let's send email to mxtoolbox for verification. I use mxtoolbox ping email for testing
Don't know how long their link works, but here it is: https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=5379a3ac-9bac-4615-9fd9-f3ee3081d9df
Code:
Return-Path: <tomaz@cycki.cf>
X-Original-To: ping@tools.mxtoolbox.com
Delivered-To: tools@tools.mxtoolbox.com
Received: from cycki.cf (unknown [157.52.211.13])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by tools.mxtoolbox.com (Postfix) with ESMTPS id 11732BBAEA
    for <ping@tools.mxtoolbox.com>; Sat, 18 Jan 2020 11:23:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cycki.cf;
     s=mxtoolbox; h=From; bh=praceU+zLOeenXOWhOpKsSDu1egWCr6Radsb790Hie4=; b=lEhV
    ZUIKHllfG6JuCPOR+BW4U7jEBtg80joDkJ2gXu2lOE3gVUycstfW091AIbupIMEP1Edy2F7s0nJVM
    q4hwNW4E+gnnct8rYM81WwB8Ti+XyFXWoSKWZJ4agUmoUrRMp3m11DAQenBh8/OSpWMhjTgBlLif+
    zK9PkAYPDORYU=;
Received: from [127.0.0.1] (helo=cycki.cf)
    by cycki.cf with esmtpa (Exim 4.92)
    (envelope-from <tomaz@cycki.cf>)
    id 1ismCb-0005wt-M8
    for ping@tools.mxtoolbox.com; Sat, 18 Jan 2020 12:23:41 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Sat, 18 Jan 2020 12:23:38 +0100
From: Tomaz <tomaz@cycki.cf>
To: ping@tools.mxtoolbox.com
Subject: Test
User-Agent: Roundcube Webmail/1.4.2
Message-ID: <03a2727c1011b8d7446525749753c736@cycki.cf>
X-Sender: tomaz@cycki.cf

Test test.
There is a "DKIM-Signature" line, with selector mxtoolbox and it uses only "from" header.
First we have to check "body hash".
In order to do that we need to canonicalized body. Easyest is with bash in console
Code:
echo -e -n 'Test test.\r\n' > body.txt
Now let's make sha256sum make it binary and base64 encode it.
Code:
sha256sum body.txt | awk '{print $1}' | xxd -r -p | base64
Now we shall get "praceU+zLOeenXOWhOpKsSDu1egWCr6Radsb790Hie4=". Exactly what is stored in "bh=" parameter of DKIM signature. So Body Hash is right.
Now we have to create header and sign it. Header is created with canonicalized headers written in "h=" tag and added dkim signatire with "empty string" of "b=" tag
Since our header is simple (only from), let's create a signature:
Code:
echo -e -n 'from:Tomaz <tomaz@cycki.cf>\r\n' > head1.txt
echo -e -n 'dkim-signature:v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cycki.cf; s=mxtoolbox; h=From; bh=praceU+zLOeenXOWhOpKsSDu1egWCr6Radsb790Hie4=; b=;' >> head1.txt
We took dkim signature in from header, make "b=" tag as empty string BUT notice the semicolon at the end. It's a separator and it's there due to exim adding it at the end. Notice there is no new line at the end too.
Now let's create a signature. In order to create a signature we need a private key. Since I created new one and it's my test domain here is a private key. Store it in "private.key":
Code:
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDMMwYSukZ0eIV2SxCMVLald4nY5GtLTLVnAIbj9d0TfgnC3bbx
TqOolZ/2eX8RwHFGRfEQQdaxpf6yLvWBGhcn3JYK0x66YsDKLapwQTEZl4eUFeaz
OieRKr7oR2w0OiEogfpYIP9x9W+oki3mszYK4fOWHl2uc1OSX+EuJrxzWQIDAQAB
AoGAEyfmNfOLkHmN6573GnMH/1XLdLFY72Nu0Q7XmKMD7kQwnjs2YkTCTZpbuz+C
kCPBfJorFx9WCKxNzGFjXo0YBtY4CG1w//gyiuXgK9YoNlKE6UxgomhDfcBsLcJu
EVQCOMpUTLOYdAUT1GEaiU6/XIFXGEXYH456Lp73FkYOgEECQQD5PeugNL8pWcZC
Yjwj+V+hos+jcqMd+mE4ddgQRFIJ3Tdr6hxejE/SqscpORKjFIhPCOUrLzsRO5vX
dDWNts81AkEA0bxyQAM9TEkSjwwr2xePin7XYYzuQufQrb/lIoKAVRfv5bdU6gri
R8BSoXb5/B212Di9ZxboXYYtyFAa3HIkFQJAI2cdOgNkB96dn75OZpm8cLwsnD3j
V5XCC4AJsb3SnV4TyjtVzkRF7lmdsohN0mZPOlK8Ipcx36/E4iS6mqeV5QJAApyG
D6X6rWh7gqx0H1Y7w02xANXwYYThZEhvYe6eCnEx23pc5E0eZCZQ4RHKKwlzqi2K
ri3q1r9E8qmMrBH/wQJAX7NDfHpzk6eMcK33HI19itVH4IF4Uc/Ql1EwUM+IvT7B
ZCbFlzIw/vglkP5n6G5ETGhX3/FwTMOtrlZwAmr+Vw==
-----END RSA PRIVATE KEY-----
Now, let's sign the header:
Code:
openssl dgst -sha256 -sign private.key -out sha1.sign head1.txt
and see the result
Code:
base64 sha1.sign
It should match the signature sent in email. So why DKIM fails? It's due to last ";" in DKIM signature. Let's remove it.

Code:
echo -e -n 'from:Tomaz <tomaz@cycki.cf>\r\n' > head2.txt
echo -e -n 'dkim-signature:v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cycki.cf; s=mxtoolbox; h=From; bh=praceU+zLOeenXOWhOpKsSDu1egWCr6Radsb790Hie4=; b=' >> head2.txt
openssl dgst -sha256 -sign private.key -out sha2.sign head2.txt
base64 sha2.sign
We get a new signature. Let's replace this signature in email header and send it to MxToolbox. Notice I left the semicolon there as it gets removed.
New link: https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=6afa401e-71bd-414c-a35f-8c5da3b5f101

Code:
Return-Path: <tomaz@cycki.cf>
X-Original-To: ping@tools.mxtoolbox.com
Delivered-To: tools@tools.mxtoolbox.com
Received: from cycki.cf (unknown [157.52.211.13])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by tools.mxtoolbox.com (Postfix) with ESMTPS id 11732BBAEA
    for <ping@tools.mxtoolbox.com>; Sat, 18 Jan 2020 11:23:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cycki.cf;
     s=mxtoolbox; h=From; bh=praceU+zLOeenXOWhOpKsSDu1egWCr6Radsb790Hie4=; b=WlgE
    BRy0oArWLdd9Ryr32xQz41K9b6+XUCkj40CIG71W3Gv+sw3N/ersMeTZQkeaJJRAzJqtrLTiyLzAt
    nUhuN49vQ4QSlMNsWrVKQr5o3JX/RHAPLZDnMsCFkPocUNEipu+a7rO42PCIEhlwyhrFn8VvuZeum
    45O/b6llkdzXc=;
Received: from [127.0.0.1] (helo=cycki.cf)
    by cycki.cf with esmtpa (Exim 4.92)
    (envelope-from <tomaz@cycki.cf>)
    id 1ismCb-0005wt-M8
    for ping@tools.mxtoolbox.com; Sat, 18 Jan 2020 12:23:41 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Sat, 18 Jan 2020 12:23:38 +0100
From: Tomaz <tomaz@cycki.cf>
To: ping@tools.mxtoolbox.com
Subject: Test
User-Agent: Roundcube Webmail/1.4.2
Message-ID: <03a2727c1011b8d7446525749753c736@cycki.cf>
X-Sender: tomaz@cycki.cf

Test test.
This email is a success, however it shouldn't be. After removing the semicolon from header it shall pass.

There is however one more interesting thing. MxToolbox for some reason can't get reliable DNS from my test domain from buddyns.com.

If you compare those with https://www.appmaildev.com/site/testfile/dkim you get right results.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,396
Location
Maastricht
If you compare those with https://www.appmaildev.com/site/testfile/dkim you get right results.
I tried that one and got all passed but it said DomainKey none.

So I checked that one, and that seems to be no problem.
DomainKey-Result: none (no signature)
If DKIM result is passed, you can ignore DomainKey result: none
Notice: DomainKey is obsoleted standard, the new standard is DKIM.
So since DKIM was passed and DomainKey is obsolete, that can be ignored. Looks good!
 

Albert

Verified User
Joined
Oct 25, 2019
Messages
39
Do not confuse MXTools DKIM test which report ONLY 3 lignes :
- DKIM Record Published
- DKIM Syntax Check
- DKIM Public Key Check

With MXTools deliverability which report much more things about DKIM with 11 lignes :
NOT OK 1- DKIM Signature Verified SIGNATURE DID NOT VERIFY
2- DNS Record Published DNS Record found
3- DKIM Record Published DKIM Record found
4- DKIM Syntax Check The record is valid
5- DKIM Public Key Check Public key is present
6- DKIM Signature Syntax Check The signature is valid
7- DKIM Signature Identifier Match Signature domain match
8- DKIM Signature Alignment Signature domain in alignment.
9- DKIM Signature Duplicate Tags Signature tags are unique
10- DKIM Signature Expiration The signature is not expired
11- DKIM Signature Body Hash Verified
With your tests, are you talking about header problems and header did not verify which is the subject in this topic ?

Please let me know which test from Mxtools have you done, and which line gave you a warning.
thanks
 

Dcclow

New member
Joined
Feb 15, 2020
Messages
1
Ive discovered this problem myself with all sites running on my dedicated server. Can i just confirm it is actually a bug in mxtoolbox?
 

TCBOXA

New member
Joined
Jan 30, 2020
Messages
3
Its a Bug, i tried the above and it passed but on mxtoolbox it failed.

https://mxtoolbox.com/deliverability
DKIM Signature VerifiedSignature Did Not Verify

DKIM-Result: pass

Sent a test email to check-auth@verifier.port25.com
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: noreply@mydomain.com)
ID(s) verified: header.d=mydomain.com

Also sent myself an email from the server to my gmail account and then clicked on the down arrow to obtain the details of the email.


from:noreply@mydomain.com
to:my@gmail.com
date:Feb 18, 2020, 5:57 PM
subject:Testing verification mail
mailed-by:mydomain.com
signed-by:mydomain.com
 
Last edited:
Top