Re: DKIM Verification Failures
Lucas Gabriel Vuotto writes:
> On Fri, Apr 05, 2024 at 08:29:20PM -0500, Robert B. Carleton wrote:
>> ---cut here---
>> 600 IN TXT "v=spf1 ip4:155.138.244.69
>> ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all"
>> _dmarc 600 IN TXT
>> "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net;
>>
>> dk-rsa-20240404._domainkey 600 IN TXT
>> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB
>> dk-ed25519-20240404._domainkey 600 IN TXT
>> v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs=
>>
>> dk-metis-rsa-20240404._domainkey600 IN TXT
>> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB
>> dk-metis-ed25519-20240404._domainkey600 IN TXT
>> v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE=
>> ---cut here---
>>
>> Then metis.rbcarleton.net:
>>
>> ---cut here---
>> 600 IN TXT "v=spf1 ip4:155.138.244.69
>> ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all"
>> _dmarc.metis 600 IN TXT
>> "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net;
>> dk-metis-rsa-20240404._domainkey600 IN TXT
>> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB
>> dk-metis-ed25519-20240404._domainkey600 IN TXT
>> v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE=
>> ---cut here---
>
> As said in other reply, your record is only "v=DKIM1". Asuming the text
> you shared is part of your zonefile, you should surround the value with
> double-quotes or escape the ";", as it's interpreted as a comment. Also
> remember to split the value every 255 characters. You can achieve that
> so with this small script:
>
> echo "v=DKIM1;..." | perl -nE 'say join(" ", map {qq{"$_"}}
> unpack("(A255)*", $_))'
>
> hth,
> Lucas
Thanks for everone's help. TXT record strings that were too long, and
not using quotes were the issues. Thanks again for pushing me over the
finish line.
Best,
--Bruce
Re: DKIM Verification Failures
On Fri, Apr 05, 2024 at 08:29:20PM -0500, Robert B. Carleton wrote:
> ---cut here---
> 600 IN TXT "v=spf1 ip4:155.138.244.69
> ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all"
> _dmarc 600 IN TXT
> "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net;
>
> dk-rsa-20240404._domainkey 600 IN TXT
> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB
> dk-ed25519-20240404._domainkey 600 IN TXT
> v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs=
>
> dk-metis-rsa-20240404._domainkey600 IN TXT
> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB
> dk-metis-ed25519-20240404._domainkey600 IN TXT
> v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE=
> ---cut here---
>
> Then metis.rbcarleton.net:
>
> ---cut here---
> 600 IN TXT "v=spf1 ip4:155.138.244.69
> ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all"
> _dmarc.metis 600 IN TXT
> "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net;
> dk-metis-rsa-20240404._domainkey600 IN TXT
> v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB
> dk-metis-ed25519-20240404._domainkey600 IN TXT
> v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE=
> ---cut here---
As said in other reply, your record is only "v=DKIM1". Asuming the text
you shared is part of your zonefile, you should surround the value with
double-quotes or escape the ";", as it's interpreted as a comment. Also
remember to split the value every 255 characters. You can achieve that
so with this small script:
echo "v=DKIM1;..." | perl -nE 'say join(" ", map {qq{"$_"}}
unpack("(A255)*", $_))'
hth,
Lucas
Re: DKIM Verification Failures
Hi, DKIM verfication of my emails has been failing for outbound email when received by other systems. This email contains those signatures. I don't check DKIM inbound so that's not a concern. I created DNS entries for both rsa and ed25519 keys. The public TXT DNS record of dk-rsa-20240404._domainkey and dk-metis-rsa-20240404._domainkey only contain "v=DKIM1". $ dig +short txt dk-rsa-20240404._domainkey.rbcarleton.net "v=DKIM1" $ dig +short txt dk-metis-rsa-20240404._domainkey.rbcarleton.net "v=DKIM1" In regards to metis.rbcarleton.net no TXT records show up at all. $ dig +short txt dk-metis-rsa-20240404._domainkey.metis.rbcarleton.net $ dig +short txt dk-metis-ed25519-20240404._domainkey.metis.rbcarleton.net I've also done some reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It has to be a problem with your DNS. The public doesn't see what you see/think you have put in. https://mxtoolbox.com/SuperTool.aspx?action=dkim%3arbcarleton.net%3adk-rsa-20240404 https://mxtoolbox.com/SuperTool.aspx?action=dkim%3arbcarleton.net%3adk-metis-rsa-20240404 https://mxtoolbox.com/SuperTool.aspx?action=dkim%3ametis.rbcarleton.net%3adk-metis-rsa-20240404 For when you have fixed your DNS: https://dkimvalidator.com is a nice test.
RE: DKIM Verification Failures
Something appears to be wrong with your DNS records. Using mxtoolbox and easydmarc's dkim validators with your selectors, the response is only v=DKIM1 and is missing the public key p= portion. I would start with wrapping the text portion with quotes. Otherwise your DNS server may need the key split up into chunks. Regards, -Andrew -Original Message- From: Robert B. Carleton Sent: Friday, April 5, 2024 6:29 PM To: misc@opensmtpd.org Subject: DKIM Verification Failures DKIM verfication of my emails has been failing for outbound email when received by other systems. This email contains those signatures. I don't check DKIM inbound so that's not a concern. I created DNS entries for both rsa and ed25519 keys. The subject hosts are metis.rbcarleton.net (internal) and terminus.rbcarleton.net (external). I use smtpd for my MTAs, and use the opensmtpd-filter-dkimsign-0.5p2 package to sign my outbound emails. I'm running OpenBSD 7.4. Here's the SPF/DMARC/DKIM DNS for rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dma r...@rbcarleton.net" dk-rsa-20240404._domainkey 600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w 3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0 z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk CasVm7VBNKza/0twIDAQAB dk-ed25519-20240404._domainkey 600 IN TXT v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs= dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w 3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0 z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk CasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- Then metis.rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc.metis 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dma r...@rbcarleton.net" dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w 3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qR ZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpq vdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0 z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3Vk CasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- I was selective in what I included in the email for the sake of brevity. I figured dig would be used to see the rest. I followed the opensmtpd-filter-dkimsign pkg-readme. I've also done some reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It's probably something silly, but managing MTAs isn't my day job, so I have less wisdom for this than I should. TIA, --Bruce
DKIM Verification Failures
DKIM verfication of my emails has been failing for outbound email when received by other systems. This email contains those signatures. I don't check DKIM inbound so that's not a concern. I created DNS entries for both rsa and ed25519 keys. The subject hosts are metis.rbcarleton.net (internal) and terminus.rbcarleton.net (external). I use smtpd for my MTAs, and use the opensmtpd-filter-dkimsign-0.5p2 package to sign my outbound emails. I'm running OpenBSD 7.4. Here's the SPF/DMARC/DKIM DNS for rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; dk-rsa-20240404._domainkey 600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB dk-ed25519-20240404._domainkey 600 IN TXT v=DKIM1;k=ed25519;p=xWqw3KWGhpEmIw5M0/eNi3SKcA6euhAmPh3Xs/vhPxs= dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- Then metis.rbcarleton.net: ---cut here--- 600 IN TXT "v=spf1 ip4:155.138.244.69 ip6:2001:19f0:6402:39e:5400:4ff:fe49:8b44 a mx -all" _dmarc.metis 600 IN TXT "v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dm...@rbcarleton.net; dk-metis-rsa-20240404._domainkey600 IN TXT v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqZNKQgFO2yTVwVmDr+t2w3ez+q1NOEcSSRmHEwK9PnD+grQYHgJeKNpUi3E4xHBDR/HVWxC4aRsZqOIj71SVzRY6GmDV7y2qRZWk4eNOT16u/dedjQFJO7H9lP221zbgGzCI2Kbut1ZVCYttr5qi6L1zuIQvbPJrlwgZpyK+x3wpqvdBmDwdrBFOpLKsODrXsIflsE7NK2TQFJsy4EnVn2FACjiq+X1ut1DMT/If3wzA9q2yjT6kRCwT0z28icAUtF6JHXGmrmWAcLYiLX/ARnVaC7wrZnZ5462AWRXi/hqvfhPHoH7tdMzmmwHBQUsK7I3VkCasVm7VBNKza/0twIDAQAB dk-metis-ed25519-20240404._domainkey600 IN TXT v=DKIM1;k=ed25519;p=Ro41ZKYFrQ8n3wlyDnj2wARjTc5VVrePBawtMNy83GE= ---cut here--- I was selective in what I included in the email for the sake of brevity. I figured dig would be used to see the rest. I followed the opensmtpd-filter-dkimsign pkg-readme. I've also done some reading to sanity check my DNS. Any suggestions. I'm kind of stumped. It's probably something silly, but managing MTAs isn't my day job, so I have less wisdom for this than I should. TIA, --Bruce
