On 9/17/19 7:33 AM, Mikolaj Kucharski wrote: > On Tue, Sep 17, 2019 at 12:03:34AM +0100, Stuart Henderson wrote: >>> I used this port and it worked for me. Initially I could not get >>> DKIM pass with GMail, but with -c relaxed/relaxed Google is now >>> happy. >> >> it's probably worth figuring out what's going on without that setting, but >> generally relaxed/relaxed is recommended anyway >> >> https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/ >> https://wordtothewise.com/2018/07/minimal-dmarc/ > > I'm not sure what was the problem, as when took the same emails as raw > mbox file and tested it with: > > - https://www.appmaildev.com/en/dkim > - dkimverify.pl from p5-Mail-DKIM-0.54 > - dkimverify from dkimpy 0.9.3 > > they all reported as DKIM pass. My emails were plain text, sent via Mutt > with only few random characters in the email body. > tl;dr: Can you give this one a try?
So this took me way longer than I'd like considering the reason. First of, I tested the following platforms without issues: - office365 - yahoo - yandex - p5-DKIM - manual (yes, you can do it manually with openssl(1)). The reason google failed is because my header was named DKIM-signature instead of DKIM-Signature (note the capital S). Headers are case insensitive and this is also the case with google, since it does recognize the header (else we wouldn't have the fail-line). The problem is that google changes the header-name back to DKIM-Signature before validating, which is in violation with RFC6376 section 3.4.1: Header fields MUST be presented to the signing or verification algorithm exactly as they are in the message being signed or verified. If anyone has a line to the google devs, please let them know. martijn@
dkimsign.tar.gz
Description: application/gzip
