Apologies if this message is the wrong listserv to ask this question but
we are scratching are heads here.
We run our own exim mail server and are receiving reports of end users
getting bounce back messages when they send email from msn.com to our
mail server. Our mail server checks if DKIM email headers are present
and if they are, tries to validate them. If the check fails, we reject
the message.
We are noticing that Microsoft, specifically, msn.com, does *not*
publish DKIM DNS text records but sends email with the DKIM email headers.
Is this normal or correct? Anyone have information or a contact at
Microsoft that can fix this -- publish their DKIM records?
It seems to me that if msn.com is going to include DKIM headers in their
outgoing email, they should also publish their DKIM public key. If they
are not going to publish their DKIM public key, then they should not
include DKIM headers in their outgoing email.
Other Microsoft email accounts and services such as hotmail.com and
outlook.com publish their DKIM records. Again, it seems msn.com should
as well.
If we look at a bounce back messages we see the following snippet:
Generating server: PH7PR84MB1704.NAMPRD84.PROD.OUTLOOK.COM
...
Remote server returned '550 5.0.350 Remote server returned an error ->
550 DKIM: encountered the following problem validating
msn.com:;pubkey_unavailable'
Original message headers:
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=msn.com;
s=selector1;
...
When we try and perform a TXT DNS query to fetch the DKIM record:
selector1._domainkey.msn.com we see that Microsoft does *not* publish
their DKIM records:
adam@defiant ~ $ dig selector1._domainkey.msn.com TXT
; <<>> DiG 9.18.25 <<>> selector1._domainkey.msn.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13050
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;selector1._domainkey.msn.com. IN TXT
;; ANSWER SECTION:
selector1._domainkey.msn.com. 21170 IN CNAME
www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 240 IN CNAME a-0003.a-msedge.net.
;; AUTHORITY SECTION:
a-msedge.net. 184 IN SOA ns1.a-msedge.net. msnhst.microsoft.com.
2016092901 1800 900 2419200 240
;; Query time: 20 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Apr 03 23:04:31 PDT 2024
;; MSG SIZE rcvd: 173
Again, this problem does *not* exist when we perform the same query to
hotmail.com and outlook.com as those domains publish their DKIM TXT
records: selector1._domainkey.outlook.com and
selector1._domainkey.hotmail.com
--
Adam Brenner
https://aeb.io/
