Le 08/03/2025 à 20:37, Waldo Nell via Postfix-users a écrit :
I received an email sent via HubSpot. It has two DKIM signatures.
Postfix shows this:
Authentication-Results: DOMAIN1;
dkim=pass (2048-bit key; secure) header.d=DOMAIN2 header.i=@DOMAIN2
header.a=rsa-sha256 header.s=hs1 header.b=IrJ0eBW4;
dkim=pass (2048-bit key; unprotected) header.d=DOMAIN3
header.i=@DOMAIN3 header.a=rsa-sha256 header.s=hs1 header.b=TW8kchP4;
dkim-atps=neutral
Why does the second line show "unprotected"? I have read in another
post on this mailing list that it might be DNSSEC that is missing but
as far as I can tell that is not true:
dig +dnssec hs1._domainkey.DOMAIN3
;; ANSWER SECTION:
hs1._domainkey.DOMAIN3. 3453 INCNAMEMASKED.hs01a.dkim.hubspotemail.net.
hs1._domainkey.DOMAIN3. 3453 INRRSIGCNAME 8 4 3600 20250329001349
20250307001349 5263 DOMAIN3.
Q0P4wEMGtLucFFPKSlrbvkofzV0r5yslBHdU6kkF0MOIpoqEBs7+r67N
ZBAcH5lbjdhyJyRukw4VCt44UFn25tou4iHTHHKtd6zlJdwRoQxZO9SD
j1vanK/6Zt0rYf4nlGzNQfuV3e+SegZQwz7wot7EU2Xf+q2Cjuj7cGvR t4g=
So the "hs1" selector does have DNSSEC on the DNS server for domain
DOMAIN3, to which the second dkim=pass line points to. What am I
misunderstanding?
- Waldo
From DNSSEC point of view:
The final value of the DNS entry (hs1._domainkey.DOMAIN3) is behind a
CNAME indirection. The target of the CNAME
(MASKED.hs01a.dkim.hubspotemail.net.) and it value(s) is/are not DNSSEC
protected. So the final expected (TXT in the DKIM selector context)
value of hs1._domainkey.DOMAIN3 is not DNSSEC protected.
Emmanuel.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
