> > Amavisd-new works fine here. Maybe $enable_dkim_verification or something > is different. >
It's good to know you're using amavisd. It's very dependent upon the SA version you're using, though. It appears both DKIM and DMARC worked until the May 29th version from svn (1901385). At some point after that, and even until yesterday's version, DKIM stopped working. DMARC still passes with SPF, but there are no longer any occurrences of DKIM. Nothing changed with amavisd. $ grep dkim amavisd.conf $sa_debug = 'info,dkim,DMARC,dmarc'; $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key With the broken versions, DKIM still seems to be evaluated, but no DKIM rules are triggered. Jun 26 12:40:08 xavier amavis[752588]: (752588-04) SA dbg: dkim: signatures provided by the caller, 2 signatures Jun 26 12:40:08 xavier amavis[752588]: (752588-04) SA dbg: dkim: adsp: performing lookup on _adsp._domainkey.agoda.com Jun 26 12:40:08 xavier amavis[752588]: (752588-04) SA dbg: dkim: adsp result: U/unknown (dns: unknown), author domain 'agoda.com' Jun 26 12:40:08 xavier amavis[752588]: (752588-04) SA dbg: dkim: VALID signature by agoda.com, author no-re...@agoda.com, no valid matches Jun 26 12:40:08 xavier amavis[752588]: (752588-04) SA dbg: dkim: VALID signature by agoda.com, author no-re...@agoda.com, no valid matches Jun 26 12:40:08 xavier amavis[752588]: (752588-04) SA dbg: dkim: author no-re...@agoda.com, not in any dkim welcomelist Jun 26 12:40:09 xavier amavis[752588]: (752588-04) SA dbg: DMARC: result: pass, disposition: none, dkim: fail, spf: pass (spf: pass, spf_helo: fail) Here's an email from the same sender once the May 29th version was installed. This passed both DKIM_VALID_AU and DMARC_PASS Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: signatures provided by the caller, 2 signatures Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: VALID DKIM, i=no-re...@agoda.com, d=agoda.com, s=keyx, a=rsa-sha1, c=relaxed/relaxed, key_bits=2048, pass,matches author domain Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: VALID DK, i=no-re...@agoda.com, d=agoda.com, s=keyx, a=rsa-sha1, c=nofws, key_bits=2048, pass, matches author domain Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: signature verification result: PASS Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: adsp not retrieved, author domain signature is valid Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: adsp result: - (valid a. d. signature), author domain 'agoda.com' Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: VALID signature by agoda.com, author no-re...@agoda.com, no valid matches Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: VALID signature by agoda.com, author no-re...@agoda.com, no valid matches Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: dkim: author no-re...@agoda.com, not in any dkim welcomelist Jun 26 12:50:42 xavier amavis[759439]: (759439-03) SA dbg: DMARC: result: pass, disposition: none, dkim: fail, spf: pass (spf: pass, spf_helo: fail) I see the version of DMARC.pm is completely different from May 29th to today. Should I try using the DMARC.pm from this month with the SA from last month?