Re: DKIM Verification Failures
Lucas Gabriel Vuotto writes: > On Fri, Apr 05, 2024 at 08:29:20PM -0500, Robert B. Carleton wrote: >> ---cut here--- >> 600 IN TXT "v=spf1 ip4:155.138.244.69 >> ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" >> _dmarc 600 IN TXT >> "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; >> >> dk-rsa-20240404._domainkey 600 IN TXT >> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB >> dk-ed25519-20240404._domainkey 600 IN TXT >> v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs= >> >> dk-metis-rsa-20240404._domainkey600 IN TXT >> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB >> dk-metis-ed25519-20240404._domainkey600 IN TXT >> v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= >> ---cut here--- >> >> Then metis.rbcarleton.net: >> >> ---cut here--- >> 600 IN TXT "v=spf1 ip4:155.138.244.69 >> ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" >> _dmarc.metis 600 IN TXT >> "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; >> dk-metis-rsa-20240404._domainkey600 IN TXT >> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB >> dk-metis-ed25519-20240404._domainkey600 IN TXT >> v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= >> ---cut here--- > > As said in other reply, your record is only "v=DKIM1". Asuming the text > you shared is part of your zonefile, you should surround the value with > double-quotes or escape the ";", as it's interpreted as a comment. Also > remember to split the value every 255 characters. You can achieve that > so with this small script: > > echo "v=DKIM1;..." | perl -nE 'say join(" ", map {qq{"$_"}} > unpack("(A255)*", $_))' > > hth, > Lucas Thanks for everone's help. TXT record strings that were too long, and not using quotes were the issues. Thanks again for pushing me over the finish line. Best, --Bruce
Re: DKIM Verification Failures
On Fri, Apr 05, 2024 at 08:29:20PM -0500, Robert B. Carleton wrote: > ---cut here--- > 600 IN TXT "v=spf1 ip4:155.138.244.69 > ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" > _dmarc 600 IN TXT > "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; > > dk-rsa-20240404._domainkey 600 IN TXT > v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB > dk-ed25519-20240404._domainkey 600 IN TXT > v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs= > > dk-metis-rsa-20240404._domainkey600 IN TXT > v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB > dk-metis-ed25519-20240404._domainkey600 IN TXT > v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= > ---cut here--- > > Then metis.rbcarleton.net: > > ---cut here--- > 600 IN TXT "v=spf1 ip4:155.138.244.69 > ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" > _dmarc.metis 600 IN TXT > "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; > dk-metis-rsa-20240404._domainkey600 IN TXT > v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB > dk-metis-ed25519-20240404._domainkey600 IN TXT > v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= > ---cut here--- As said in other reply, your record is only "v=DKIM1". Asuming the text you shared is part of your zonefile, you should surround the value with double-quotes or escape the ";", as it's interpreted as a comment. Also remember to split the value every 255 characters. You can achieve that so with this small script: echo "v=DKIM1;..." | perl -nE 'say join(" ", map {qq{"$_"}} unpack("(A255)*", $_))' hth, Lucas
Re: DKIM Verification Failures
Hi, DKIM verfication of my emails has been failing for outbound email when received by other systems. This email contains those signatures. I don't check DKIM inbound so that's not a concern. I created DNS entries for both rsa and ed25519 keys. The public TXT DNS record of dk-rsa-20240404._domainkey and dk-metis-rsa-20240404._domainkey only contain "v=DKIM1". $ dig +short txt dk-rsa-20240404._domainkey.rbcarleton.net "v=DKIM1" $ dig +short txt dk-metis-rsa-20240404._domainkey.rbcarleton.net "v=DKIM1" In regards to metis.rbcarleton.net no TXT records show up at all. $ dig +short txt dk-metis-rsa-20240404._domainkey.metis.rbcarleton.net $ dig +short txt dk-metis-ed25519-20240404._domainkey.metis.rbcarleton.net I've also done some reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It has to be a problem with your DNS. The public doesn't see what you see/think you have put in. https://mxtoolbox.com/SuperTool.aspx?action=dkim%3arbcarleton.net%3adk-rsa-20240404 https://mxtoolbox.com/SuperTool.aspx?action=dkim%3arbcarleton.net%3adk-metis-rsa-20240404 https://mxtoolbox.com/SuperTool.aspx?action=dkim%3ametis.rbcarleton.net%3adk-metis-rsa-20240404 For when you have fixed your DNS: https://dkimvalidator.com is a nice test.
RE: DKIM Verification Failures
Something appears to be wrong with your DNS records. Using mxtoolbox and easydmarc's dkim validators with your selectors, the response is only v=DKIM1 and is missing the public key p= portion. I would start with wrapping the text portion with quotes. Otherwise your DNS server may need the key split up into chunks. Regards, -Andrew -Original Message- From: Robert B. Carleton Sent: Friday, April 5, 2024 6:29 PM To: misc@opensmtpd.org Subject: DKIM Verification Failures DKIM verfication of my emails has been failing for outbound email when received by other systems. This email contains those signatures. I don't check DKIM inbound so that's not a concern. I created DNS entries for both rsa and ed25519 keys. The subject hosts are metis.rbcarleton.net (internal) and terminus.rbcarleton.net (external). I use smtpd for my MTAs, and use the opensmtpd-filter-dkimsign-0.5p2 package to sign my outbound emails. I'm running OpenBSD 7.4. Here's the SPF/DMARC/DKIM DNS for rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dma r...@rbcarleton.net" dk-rsa-20240404._domainkey 600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w 3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0 z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk CasVm7VBNKza/0twIDAQAB dk-ed25519-20240404._domainkey 600 IN TXT v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs= dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w 3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0 z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk CasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- Then metis.rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc.metis 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dma r...@rbcarleton.net" dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w 3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0 z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk CasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- I was selective in what I included in the email for the sake of brevity. I figured dig would be used to see the rest. I followed the opensmtpd-filter-dkimsign pkg-readme. I've also done some reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It's probably something silly, but managing MTAs isn't my day job, so I have less wisdom for this than I should. TIA, --Bruce
DKIM Verification Failures
DKIM verfication of my emails has been failing for outbound email when received by other systems. This email contains those signatures. I don't check DKIM inbound so that's not a concern. I created DNS entries for both rsa and ed25519 keys. The subject hosts are metis.rbcarleton.net (internal) and terminus.rbcarleton.net (external). I use smtpd for my MTAs, and use the opensmtpd-filter-dkimsign-0.5p2 package to sign my outbound emails. I'm running OpenBSD 7.4. Here's the SPF/DMARC/DKIM DNS for rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; dk-rsa-20240404._domainkey 600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB dk-ed25519-20240404._domainkey 600 IN TXT v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs= dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- Then metis.rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc.metis 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- I was selective in what I included in the email for the sake of brevity. I figured dig would be used to see the rest. I followed the opensmtpd-filter-dkimsign pkg-readme. I've also done some reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It's probably something silly, but managing MTAs isn't my day job, so I have less wisdom for this than I should. TIA, --Bruce