Discussion:
[dmarc-discuss] to: googlers: clarify X-Original-Authentication-Results
Andreas Schulze
2013-09-09 12:58:19 UTC
Permalink
Hello,

the question is directed to Googlers (I know some iof them are on this list).
We may continue offlist ...

I sent messages for dnswl.org from a legit server. The messages are
dkim signed
and normaly pass dkim validation.

When sending to a googlegroup, google add the mentioned header.
I get sometimes these:

X-Original-Authentication-Results: gmr-mx.google.com;
spf=neutral (irrelevant foo) smtp.mail=***@dnswl.org;
dkim=neutral (bad format) header.i=@dnswl.org

My question: why does dkim not pass? What does "bad format" mean? Are
there further diagnostic information available?
I try to understand what's going wrong here...


Thanks.
Andreas
Olga Gavrylyako
2013-09-09 16:11:40 UTC
Permalink
Hi Andreas,
"Bad format" means that you are not following DKIM RFC spec.
If you share full message headers with me, I could take a look. But
generally I do not see any messages from dnswl.org, which pass DKIM
validation.
Olga
Post by Andreas Schulze
Hello,
the question is directed to Googlers (I know some iof them are on this list).
We may continue offlist ...
I sent messages for dnswl.org from a legit server. The messages are dkim
signed
and normaly pass dkim validation.
When sending to a googlegroup, google add the mentioned header.
X-Original-Authentication-**Results: gmr-mx.google.com;
My question: why does dkim not pass? What does "bad format" mean? Are
there further diagnostic information available?
I try to understand what's going wrong here...
Thanks.
Andreas
______________________________**_________________
dmarc-discuss mailing list
http://www.dmarc.org/mailman/**listinfo/dmarc-discuss<http://www.dmarc.org/mailman/listinfo/dmarc-discuss>
NOTE: Participating in this list means you agree to the DMARC Note Well
terms (http://www.dmarc.org/note_**well.html<http://www.dmarc.org/note_well.html>
)
Andreas Schulze
2013-09-09 19:42:04 UTC
Permalink
Post by Olga Gavrylyako
"Bad format" means that you are not following DKIM RFC spec.
ups, just sign using opendkim ...
and validation with opendkim give "pass"

Sep 9 21:32:21 main opendkim[10758]: 36F376F4484: DKIM-Signature field added (s=default, d=dnswl.org)
Sep 9 21:36:21 main postfix/smtp[7360]: 36F376F4484: to=<sca at andreasschulze.de>, relay=mx.andreasschulze.de[2001:a60:f0b4:e500::f43e:4ea2]:25, delay=240, delays=235/0/0.86/3.8, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3cYfkT4nNmz259N)

Sep 9 21:36:17 taro postfix/smtpd[13738]: 3cYfkT4nNmz259N: client=main.dnswl.org[2a01:4f8:131:3e1::4]
Sep 9 21:36:18 taro opendkim[11617]: 3cYfkT4nNmz259N: DKIM verification successful
Sep 9 21:36:18 taro opendkim[11617]: 3cYfkT4nNmz259N: s=default d=dnswl.org SSL
Sep 9 21:36:18 taro opendmarc[27472]: 3cYfkT4nNmz259N: dnswl.org pass

Authentication-Results: taro; dmarc=pass
header.from=dnswl.org
Authentication-Results: taro;
dkim=pass (2048-bit key; unprotected) header.d=dnswl.org
header.i=@dnswl.org header.b=rs60/suT;
dkim-adsp=pass; dkim-atps=neutral
Post by Olga Gavrylyako
If you share full message headers with me, I could take a look. But
generally I do not see any messages from dnswl.org, which pass DKIM
validation.
I send you further messages offlist.
Post by Olga Gavrylyako
Olga
Andreas
Olga Gavrylyako
2013-09-09 20:27:25 UTC
Permalink
Unfortunately in Gmail we are using different software from opendkim. In
some cases we have more strict requirements. Unless you provide me an
example, I cannot say why it did not pass our validation.
Post by Andreas Schulze
Post by Olga Gavrylyako
"Bad format" means that you are not following DKIM RFC spec.
ups, just sign using opendkim ...
and validation with opendkim give "pass"
Sep 9 21:32:21 main opendkim[10758]: 36F376F4484: DKIM-Signature field
added (s=default, d=dnswl.org)
Sep 9 21:36:21 main postfix/smtp[7360]: 36F376F4484: to=<sca at
andreasschulze.de>, relay=mx.andreasschulze.de[2001:a60:f0b4:e500::f43e:4ea2]:25,
queued as 3cYfkT4nNmz259N)
Sep 9 21:36:17 taro postfix/smtpd[13738]: 3cYfkT4nNmz259N: client=
main.dnswl.org[2a01:4f8:131:3e1::4]
Sep 9 21:36:18 taro opendkim[11617]: 3cYfkT4nNmz259N: DKIM verification successful
Sep 9 21:36:18 taro opendkim[11617]: 3cYfkT4nNmz259N: s=default d=
dnswl.org SSL
Sep 9 21:36:18 taro opendmarc[27472]: 3cYfkT4nNmz259N: dnswl.org pass
Authentication-Results: taro; dmarc=pass
header.from=dnswl.org
Authentication-Results: taro;
dkim=pass (2048-bit key; unprotected) header.d=dnswl.org
dkim-adsp=pass; dkim-atps=neutral
Post by Olga Gavrylyako
If you share full message headers with me, I could take a look. But
generally I do not see any messages from dnswl.org, which pass DKIM
validation.
I send you further messages offlist.
Post by Olga Gavrylyako
Olga
Andreas
Andreas Schulze
2013-09-09 20:48:33 UTC
Permalink
Unless you provide me an example, I cannot say why it did not pass
our validation.
you should have received a message from me via dnswl.org ...

Andreas
Douglas Otis
2013-09-09 21:08:48 UTC
Permalink
Post by Andreas Schulze
Unless you provide me an example, I cannot say why it did not pass
our validation.
you should have received a message from me via dnswl.org ...
Dear Andreas,

DKIM can produce a pass with a message having an invalid message structure. Unfortunately, there are no email conventions to indicate whether message structure had been checked. Message structure details are now contained in many RFCs and not just RFC5322 and RFC5321 recommends against SMTP checking message structure as this handling is less problematic when not implemented within the transport. As such, no safe conclusions can be reached based upon a passing DKIM signature. Google is rather unique in how they handling messages that have repeated singleton header fields. IMHO, such checks should have been part of what makes a valid DKIM signature.

Regards,
Douglas Otis
Franck Martin
2013-09-09 22:41:37 UTC
Permalink
Post by Andreas Schulze
Unless you provide me an example, I cannot say why it did not pass
our validation.
you should have received a message from me via dnswl.org ...
Andreas,

Make sure you specify which cyphers/hash are used in the DKIM DNS record. Some are by default, but sometimes, matching the right cypher/hash can be problematic, so better you say which ones you use.
Andreas Schulze
2013-09-10 19:11:41 UTC
Permalink
Post by Franck Martin
Make sure you specify which cyphers/hash are used
Ah, good point!

don't know if it's the reason but it *is* a difference between the domain in question and my domain.
I changed the record an will wait a day ...

Olga, dig you found my testmails? Probably the are in the spamfolder :-(

Andreas
--
Still running mailman in legacy mode?
Time to change. We'r in the 21th century!
http://sys4.de/de/blog/2013/08/11/dkim-konforme-mailinglisten/
Benny Pedersen
2013-09-10 19:38:25 UTC
Permalink
Post by Olga Gavrylyako
Unfortunately in Gmail we are using different software from opendkim.
In some cases we have more strict requirements. Unless you provide me
an example, I cannot say why it did not pass our validation.
so much for using opensources, try atleast give something back
Franck Martin
2013-09-10 21:30:19 UTC
Permalink
Post by Benny Pedersen
Post by Olga Gavrylyako
Unfortunately in Gmail we are using different software from opendkim.
In some cases we have more strict requirements. Unless you provide me
an example, I cannot say why it did not pass our validation.
so much for using opensources, try atleast give something back
This is an unfair comment. opendkim and dkim in general is hard to troubleshoot.
Loading...