Hi
my quick solution:
header DKIM_FAIL_AR Authentication-Results =~ /[\s\S]*?dkim=fail/i
doesnt work for me, because Amavis writes the Authentication-Results
after the SA-process. So I checked another mail where dkim=fail with
reason="signature verification failed".
Authentication-Results: mx1.txbweb.de;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=smartfx-com.20230601.gappssmtp.com
[email protected] header.a=rsa-sha256
header.s=20230601 header.b=DKuSYDO7;
dkim-atps=neutral
In the X-Spam-Status:
DKIM_SIGNED=0.1, DKIM_VALID=-0.1
From the journal
Nov 12 05:44:25 mx1 opendkim[825]: E02AE402F6: no signing table match
for '[email protected]'
Nov 12 05:44:26 mx1 opendkim[825]: E02AE402F6: s=20230601
d=smartfx-com.20230601.gappssmtp.com a=rsa-sha256 SSL error:02000068:rsa
routines::bad signature
Nov 12 05:44:26 mx1 opendkim[825]: E02AE402F6: bad signature data
My simple check dkim script
#!/usr/bin/perl
use strict;
use warnings;
use Mail::DKIM::Verifier;
my $v = Mail::DKIM::Verifier->new();
while (<STDIN>) { $v->PRINT($_) }
$v->CLOSE;
for my $sig ($v->signatures) {
my $d = $sig->domain // '?';
my $s = $sig->selector // '?';
my $r = eval { $sig->result } // 'none';
my $rd = eval { $sig->result_detail } // '';
print "sig d=$d s=$s result=$r detail=$rd\n";
}
print "overall: ", ($v->result||'none'), "\n";
Result:
cat testmails/mail-dkim_invalid_paypal.eml | ./scripts/check_dkim.pl
sig d=smartfx-com.20230601.gappssmtp.com s=20230601 result=fail
detail=fail (message has been altered)
overall: fail
(the mailcontent downloaded as is to file mail-dkim_invalid_paypal.eml)
sigfail comfirmend, but SA set DKIM_VALID=-0.1.
Do I need another dkim check plugin? I could disable the sa check by
"score DKIM_VALID 0" and convert the simple script into a plugin.
But any idea, why SA sets DKIM_VALID=-0.1 ?
Am 2025-11-11 18:58, schrieb Thomas Barth via users:
Hi,
the scoring of SpamAssassin is somehow wrong.
From the the header
Authentication-Results: ...;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=pt838.cc ...
But SpamAssassin gives a bonus:
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001,
From the journal
Nov 11 17:14:01 mx1 opendkim[897]: 0013F600D4: no signing table match
for '[email protected]'
Nov 11 17:14:01 mx1 opendkim[897]: 0013F600D4: s=dkim d=pt838.cc
a=rsa-sha256 SSL error:02000068:rsa routines::bad signature
Nov 11 17:14:01 mx1 opendkim[897]: 0013F600D4: bad signature data
Quick solution:
header DKIM_FAIL_AR Authentication-Results =~
/\b[A-Za-z0-9]+\.example\.[A-Za-z]{2,3};\s*dkim=fail\b/i
describe DKIM_FAIL_AR DKIM failed according to our
Authentication-Results
score DKIM_FAIL_AR 2.0
Why the bonus and no DKIM_INVALID?
Best regards
Thomas B
