IETF Logo Mail Archive

[ietf-dkim] DKIM auth verification FAILs in headers, but PASSes in logs; where the best place to get answers about fixing this?

jasonsu@mail-central.com Wed, 06 July 2016 15:21 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCF612D1A2 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Wed, 6 Jul 2016 08:21:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.797
X-Spam-Level:
X-Spam-Status: No, score=-0.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RDNS_NONE=0.793, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=mail-central.com header.b=u+FWp8ST; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=messagingengine.com header.b=Tf7MJUra
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PgosC1_iPOJy for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Wed, 6 Jul 2016 08:21:15 -0700 (PDT)
Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C00C12D5F4 for <ietf-dkim-archive@ietf.org>; Wed, 6 Jul 2016 08:20:45 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u66FJmZb016246; Wed, 6 Jul 2016 08:19:50 -0700
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u66FJi0t016242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-dkim@mipassoc.org>; Wed, 6 Jul 2016 08:19:46 -0700
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 991CE2031B for <ietf-dkim@mipassoc.org>; Wed, 6 Jul 2016 11:19:13 -0400 (EDT)
Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Wed, 06 Jul 2016 11:19:13 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=mail-central.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=lfK QT/uUmeuy3khOvcdhdUXhxGA=; b=u+FWp8STOYoHR7sq/bcf9F+R3BUvceTRD45 ZO0cEZR6/PUormf50Ayay9Q/Ju03MX0/Si36oupQs/DVsO5oTXE6N1VJ59MdNHcI jNsJJ3TJ9+W4ndVchXaAomqJXm9Si3VUoBeVydnLQTTtZZdazBNkV713/f4OmIAZ /l0agrNw=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=lfKQT/uUmeuy3khOvcdhdUXhxGA=; b=Tf7MJ UrarqoTUDv85hKuaX733lMvWqZkd8ZjIOPncqR/qaKZavnCp16In0r99RwcNA/1P xjH/i5nWZmECwAZ78I26Y2dKRU+ZMO1GZF5gxCwVzp0JlnEbfo1NByDdqBJuXvFM apIGszMjm2SM0AUnB6N6gEN6JukuZIALGunMUE=
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 66A15CC6C9; Wed, 6 Jul 2016 11:19:13 -0400 (EDT)
Message-Id: <1467818353.661935.658521441.2A8E3270@webmail.messagingengine.com>
X-Sasl-Enc: WY+noFXeu8Fb7qt6FgfqSFqx1jjquCdRHyDKdFrnmzFb 1467818353
From: jasonsu@mail-central.com
To: ietf-dkim@mipassoc.org
MIME-Version: 1.0
X-Mailer: MessagingEngine.com Webmail Interface - ajax-22cd3445
Date: Wed, 06 Jul 2016 08:19:13 -0700
Subject: [ietf-dkim] DKIM auth verification FAILs in headers, but PASSes in logs; where the best place to get answers about fixing this?
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

I've deployed DKIM, using Opendkim, in an SPF+DKIM+DMARC setup.

Works verifiably well outbound, and inbound in most cases.

Except for from some (big & legitimate) mailing lists.  Mail from them is getting flagged as 

  dkim=fail reason="signature verification failed"

but inconsistently.  Trying to debug, dkim logs say PASS, but headers says FAIL.

 message headers say dkim = fail, stats say = PASSED. why the conflict, and how to fix?
  http://serverfault.com/questions/788017/message-headers-say-dkim-fail-stats-say-passed-why-the-conflict-and-how-t

I'm aware of

 DomainKeys Identified Mail (DKIM) and Mailing Lists
  https://tools.ietf.org/html/rfc6377

having been pointed there several times "for answers".  Let's just say it hasn't done the trick for us here.

I've asked about this on serverfault, on the opendkim mailing list, in irc, and via direct mail to the authors.    I have yet to get any answer as to why this problem's occurring, and how best to configure DKIM (if it's a config issue to begin with) so as to avoid the problem.

I'm in 'here' because I'm running out of places to ask.

I'd appreciate any pointers on how to fix this, or better yet, where to have an actual fruitful discussion.

Thanks,

Jason
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.36.0 | Report a Bug | By Email | System Status