DKIM => Signature Did Not Verify

I looked at it more closely.

The email sent from [email protected] had a different header than the [email protected]

[email protected] failed and generated signature did not verify error:

Code: 
dkim=fail (signature did not verify)

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=hostname.server.com; s=x; h=From:Message-Id:Subject:To:Date:Sender:
Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;


[email protected] passed and generated no error:

Code: 
dkim=pass (signature was verified)

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=anotherdomain.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date:
Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;


There is a difference between the two headers in the first part of h=

Code: 
h=From:Message-Id:Subject:To:Date:Sender:Reply-To:Cc:MIME-Version:Content-Type

Code: 
h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc


Does anyone have any idea why there was a difference in headers in emails sent from the same server?
 
@Meiji, Could it be a DNS propagation issue? If you recently setup DKIM or changed DKIM? If so, maybe try to wait another day and test again.
 
ditto said:
@Meiji, Could it be a DNS propagation issue? If you recently setup DKIM or changed DKIM? If so, maybe try to wait another day and test again.
Click to expand...

It's not a propagation issue. I have added these domains 5 days ago, including setting up nameservers and hostname DNS.
 
mucek4 said:
Thank god it's only 2 months old thread. I think I have found the bug on MxToolBox.

[…]

However my MTA (exim) the last tag "b=" appends with semicolon. If this semicolon is removed and modified header sent to MxToolBox, it's accepted with all 4 ticks green. But according to RFC it should be "treated as the empty string" so in my opinion semicolon shall remain.

I even found exim line of code https://github.com/Exim/exim/blob/master/src/src/pdkim/pdkim.c#L1320 where they say "add trailing semicolon: I'm not sure if this is actually needed"

Oh well. I'll send feedback email to MxToolBox to see what they reply.
Click to expand...

I have had this bug for two years on my exim install, but it stays forgotten in Exim's Bugzilla:

Bug 2295 – Invalid DKIM signatures (pdkim_headcat obliterating near-EOL significant characters)

bugs.exim.org bugs.exim.org

I would be glad that you add your own case to this bug report, to resurrect it…
 
I have the same issue, but the strange thing is, I have multiple domains on a same server and all domains works well, beside one.
outlook.com, gmail.com, yandex.com - all report dkim=fail (signature did not verify)

domain menelon.ee - OK
domain ox.ee - OK
domain pets24.ee - OK
domain 01.ee - OK
domain antivirus.ee - not OK

If I disable DKIM for the domain I get: dkim=none (message not signed)

Exactly same DNS record, but does not verify. What could be the issue?

Latest


PS Tested with https://www.appmaildev.com/en/dkim:

[dunno, is it safe to post here test information?]

DKIM-Result: fail (bad signature)
 
Are those real names or examples? If it's real names then you already have an error in your MX
Code: 
The MX records that do not seem valid hostname:                
                                       _dc-mx.1147ea7c4c9c.antivirus.ee
                                       This can cause problems

I'm only seeing cloudflare on this so I can't check DKIM. But maybe this is doing something wrong already.
I presume you coupied the DKIM record correctly to your external DNS
 
I do not see any _dc-mx.1147ea7c4c9c.antivirus.ee in DNS settings.

MX antivirus.ee menelon.ee

Can't see here as well:
dnschecker.org

DNS Lookup - Check All DNS Records for Any Domain

Our DNS Lookup tool directly queries the domain's authoritative name server. It let you check all DNS records of a domain. Enter domain, and get results.
dnschecker.org dnschecker.org
 
ezh said:
I do not see any _dc-mx.1147ea7c4c9c.antivirus.ee in DNS settings.
Click to expand...
Maybe the record was recently changed. I found it via intodns. When looking now at this moment, it's changed to menelon.ee.

Since I now see this record change maybe only now things are synced worldwide? You still experiencing the same issues?
 
Yep, same. :(

https://www.appmaildev.com/en/dkim gives (I changed here the values, since do not know if it is safe to share it unchanged)

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

d=antivirus.ee; s=x; h=Subject:From:To:MIME-Version:Date:Message-ID:

Content-Type:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:

Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc

:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:

List-Subscribe:List-Post:List-Owner:List-Archive;

bh=MV+SbLIWX+wfPrvlcJk5sf+cios9v5iJYPY=; b=Zflr9MZripjixglFTWDec18YgP

eDlA8uG16iyIgYBcmbg1BPzAOmUZ2MXD2AymCSbsWMxn9R3Prt3O6DpenQ+FshXXcS+

QO6uJ/JkvWou42GmZoc77vsOgglnQ5VYUFtZFoNU5xDFIKrO4fZ1Fxdo8zGuC5L51z

MGDzmQScqaXe/iDbE8BoDkU9tfIhcs+YOkS9+snP3SwtlXVugsXQif2N3dBwfxXN

uBqEqT9//zIFAQ5/oIEC1rtJMf4ZWexs40OFLeyZF4YFqgyy3HVlVVOBHXKBjGBicFb7k

YGYK/4ng==;

Signed-by: xxxxxx@antivirus.ee

Expected-Body-Hash: MV+SbLIWX+wlPrvlcJk5sf+cios9v5iJYPY=

Public-Key: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtkImkBx2u2fvtu2rcBXIpA6BN3nEB04hM6cMgVEy7KGnDfCey2N8P1GOkyUj6jlWvr3p/fsSCwKK8p+fTDhBp3ywzSaqCI5kDE11UZ3dvCwQohI5WiVOw4WHqbNTfgV9H6N1NFWOnLb7d9MUxZ0cHMZehwC0+OHJCdeqt4dy0iZgHatWkmP+5UDMIVZqN4Fka608fsrYVBu/rngSFhdUNkAE1xn8L3yT+zCYp6x5PQr1z9h4PLQ4XU9g6FQQnm6hB+PXdX4OyyFD2Z7UsEOqjLL5vhJb2areFd39Q98KEcOGpBm6CM8XAghIbpOWJ6UtqmqYYvoDGghFlpYR4LVlXwIDAQAB;



DKIM-Result: fail (bad signature)
 
Check your DNS. The antivirus.ee domain has 2 different ipv4 addresses, that should not be the case.
 
Ah never mind... I see you have that on the others also. However pet24.ee has totally different ip addresses.
 
Last edited:
Different IP for web is right.

mail-tester.com:
Your DKIM signature is not valid

-0.1DKIM_INVALIDDKIM or DK signature exists, but is not valid
-0.1DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid
This rule is automatically applied if your email contains a DKIM signature but other positive rules will also be added if your DKIM signature is valid. See immediately below.
 
ezh said:
See immediately below.
Click to expand...
and what does it say there? Nothing about DKIM anymore?

It's odd that only 1 domain is having these issues. I can't get my finger behind the cause. Because when tested single, DKIM record seems a valid record.

Your public DKIM key is exactly the same as from what I see in your log above. At least... if you didn't change the public DKIM key in your log part above, since you said you change some things.

Last time I see this happening it was some DNS issue somewhere, but I don't remember where/how.
 
No, I have not changed the public part I posted here. Weird... :-/
 
Yes indeed very weird. If DKIM posted in your log is exactly the same as in the DKIM found in your DNS, then why the invalid?
I'm must be missing something here, but I don't see it....

Do you send mail from/via mail.antivirus.ee or do you use another name or send mail via external server?

Maybe @mxroute has some idea what's going wrong here.
 
You must log in or register to reply here.
Back
Top