Thank you for this Thomas. We've identified the same issue on email from several different people now.
The problem appears to be a hosted mail provider that identifies itself as "eigbox.net". It is used by several ISPs, including HostGator, that don't have their own email service, and block outbound SMTP ports. They then route all outbound mail traffic through eigbox.net. The mail forwarding servers at eigbox.net add this bogus DKIM signature, utilizing the domain name of the email sender, and a selector of "dkim" - regardless of whether or not the domain has a selector of "dkim" - or even if the domain supports DKIM at all! Example: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domain.com ; s=dkim; And of course, this is going to cause the email to fail. So it would appear that ASSP is working correctly, and doing its job - and that (as usual) it is misconfiguration on the sending mail server end. On 6/12/2019 1:25 AM, Thomas Eckardt wrote: >>"Note that a single email can contain multiple DKIM signatures, and it > is considered to be a DMARC "pass" if any DKIM signature is aligned and > verifies." > >>So I'm wondering why this email is being failed by ASSP with a DKIM > failure even though one of the signatures in the header passes correctly. > > Don't confound DKIM and DMARC! > > RFC rules: > To pass the DKIM check, every DKIM signature has to be valid. > To pass the DMARC check, at least one DKIM signature has to align and > has to be valid and ..... > > The first signature is invalid in every case, because it is a fake. > There is no DKIM-selector 's=dkim' available for gmail.com (TXT > dkim_domainkey.gmail.com) . gmail.com currently uses only the selector > 's=20161025' (TXT 20161025._domainkey.gmail.com) > > So, the assp DKIM check fails for this mail. It is a 'hard' fail, > because DNS fails - a soft fail would be 'the header was altered' or > 'the body was altered'. > > How ever, the assp DMARC check will also fail, because assp assumes that > every DKIM signature has to be valid. There is not a single good reason, > because a DKIM-signature should become invalid for DNS or policy reasons. > > > Thomas > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally privileged and protected in law and are intended solely for the > use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
