Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?

"Doug Foster" <> Wed, 15 May 2019 14:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EE37A1200E0 for <>; Wed, 15 May 2019 07:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LU9jM3UDb-yP for <>; Wed, 15 May 2019 07:10:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1B49C12008C for <>; Wed, 15 May 2019 07:10:00 -0700 (PDT)
X-ASG-Debug-ID: 1557929398-11fa3116c876920001-K2EkT1
Received: from ( []) by with ESMTP id b3eWKl6Hfm0oVmq8 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Wed, 15 May 2019 10:09:58 -0400 (EDT)
X-ASG-Whitelist: Client
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1025; h=message-id:subject:to:from; bh=VHik2L4R7ghc3urkqQfCO4zXWa4W0lYu05t7jzQT+4U=; b=PpkMm1k5WZCA4exIzErJzgIUCQ1Zhud6wBfTAdomDokN1687TdEq+Z5xK48IpNZyD jJsPTAsbWST5AaPSAXlKvyBKnxG3oTYeE7AzL6tEFD1WtgmykQeYGhSSfC/Nbu4ul dB4jWXdS77qbsPRGbWBlmGzpjeMZ3kx2tI24ONTc4=
Received: from MSA189 ( []) by with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256); Wed, 15 May 2019 10:09:49 -0400
From: "Doug Foster" <>
To: "'Dave Crocker'" <>, "'IETF DMARC WG'" <>
References: <>
In-Reply-To: <>
Date: Wed, 15 May 2019 10:09:49 -0400
X-ASG-Orig-Subj: RE: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
Message-ID: <000401d50b27$dbb5c310$93214930$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQGE87zGQqFmYF+UdAorhwgBp28/zacMXB7g
X-Exim-Id: 000401d50b27$dbb5c310$93214930$
X-Barracuda-Start-Time: 1557929398
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Virus-Scanned: by bsmtpd at
X-Barracuda-Scan-Msg-Size: 2838
X-Barracuda-BRTS-Status: 1
Archived-At: <>
Subject: Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 May 2019 15:26:57 -0000

I have recently begun evaluating my incoming traffic for DKIM status, and I
suspect the results are relevant to your question.
These results are based on 768 unique domains, on signed messages, received
over a few adjacent days.  Messages that were blocked for any reason are
excluded from the analysis.  (I am not blocking based on DKIM status).

22  2.9% have DKIM signatures but fail verification 100%
15   2.0% have some DKIM verification failures

 7    0.9% have 100% rejection due to DNS record syntax errors
 1   0.1% have some rejections due to DNS record syntax errors

10  1.3% have 100% DKIM TXT lookup failures
  1 0.1% have some DKIM TXT lookup failures
---  ----
57  7.3%  have DKIM problems 

This failure rate is much higher than I would have expected.

When DKIM verification failures are detected, several possibilities must be
- an error exists in the signature generation algorithm at the source system
- modification or addition of a signed header during transit
- an error exists in the signature verification algorithm at the receiving

We receive very little indirect mail, so I believe that forwarding is not a
significant contributor to these problems.

For this type of debugging, it would be helpful if the receiving system
logged the message exactly as it was used for signature verification.  This
would permit independent verification using a tool such as the message
header checker at   For the devices that I manage, this is
not the case.   Some of the devices do not log the full message at all.  The
one that does full logging only logs the message as it is relayed outbound.

My research also exposed a probable data-related bug on one mail server,
which causes it to generate incorrect signatures on a small percentage of
our outbound traffic.   I will be working with the vendor on that.

Doug Foster


-----Original Message-----
From: dmarc [] On Behalf Of Dave Crocker
Sent: Wednesday, April 10, 2019 3:37 PM
Subject: [dmarc-ietf] DNS library queries for DKIM and DMARC records?



I'm trying to get a bit of education about reality.  Always dangerous, but
I've no choice...

For the software you know about, how are queries to the DNS performed, 
to obtain the TXT records associated with DKIM and/or DMARC?

I'm trying to understand the breadth and limitations of returned 
information that is filtered or passed by the code that is actually in 
use.  Which libraries and which calls from those libraries.



Dave Crocker
Brandenburg InternetWorking

dmarc mailing list