[Users] DKIM Signature issues [Was: List server: bad DKIM?]

lists at lazygranch.com lists at lazygranch.com
Sun Feb 18 03:08:32 CET 2018 

On Sat, 17 Feb 2018 20:19:42 -0500
Pierre Fortin <pf at pfortin.com> wrote:

> On Sun, 18 Feb 2018 02:30:00 +0200 Removed GDPR wrote:
> 
> >My DKIM is set correctly. I don't know why it should be treated
> >as "bad". Everyone has been receiving my emails correctly for
> >years.  
> 
> I don't either; but here's what's in the message you just sent...
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=invalid.tld;
> s=google;
> h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
> bh=g83YXMYYNsl1eJK4+bXsGC8brqDhgiF7NKjYOBtU7bc=;
> b=jMs72D5jD6xLID/x8OE5JbltsRXx6EZrUqv1kO8JKH+qpLy3N84LShzth4cL/p2F2R
> ELvwj0fqRZacLUETBfdx7uu/QbhBG1c5IU9k3pOqOtUWNzsfrf9DyX194zeOW0G9npNG
> lPo2v6YUsU/Pvvfz86136Rz2t7wEy4QR1irJ0GAGtseKY6+EyVclzXApu/hZwaTD02vb
> vdOFlP246R848Sr897C03mFFbdeKrT0oXH1pummTivQJte0dj6nZX7jVXWRd2fAkvtg2
> YA/ov1YcNAUK4NTm5M/L7RrgAFhvUA2TCyDuraU6ytMXJ+KY3I04UXYvi/7cTpfvAyrP
> 3Eyw== 
> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>  d=1e100.net; s=20161025;
>  h=x-gm-message-state:mime-version:in-reply-to:references:from:date
>  :message-id:subject:to;
>  bh=g83YXMYYNsl1eJK4+bXsGC8brqDhgiF7NKjYOBtU7bc=;
>  b=Pkl1U4Waz8+WLwoknio6BLrUW0jvxm7nRbUFbzKrpEAyycvWk3vKmtLUG72Gw7Qk3H
>  gDReM5g/CL5XUeNokhs7SMv/zf7+6N31f9bKK6Nizfao0gdkhN783Qvig6NepQWDrY9n
>  EyRbJSq3HEK2MPxk5m6iBV3ApLnGWLJ/QHNB/u+1hCXpZQ4kBUB7v6t2amiUye/z18jM
>  mzl87EQip8N2wFSbQKk3EOZyiJP8tmqVpVbsM5tb0sLxAH6P6yG/OBCWZ3DFOcM+sZt8
>  9UNMxv9Ldnkgkpce5/fNNU3cK1OnNFbR3jtKk7cdFn1ifVjlaZ7png8daj1wSqdF1m9M
>  XMUA==
> 
> I presume the first is what you set.  Is the 2nd from Google something
> you'd expect; or are they butting in?
> 
> I'm learning DKIM on the fly, so any input appreciated...
> 
> Pierre
> _______________________________________________
> Users mailing list

Looks like the OP did a relay. That usually is problematic for SPF. I'm
not sure about DKIM. Google has a setup for relay on their business
email. I just whitelist the one person I know who insists on using a
relay. 

As far as google is concerned, DKIM is good enough for ID. The private
key has to be on the server originating the email. There is some nuance
where having SPF as well makes is more secure. If you run your own
server, it is easy enough to meet both criteria. 

I'm running the opendmarc milter, but not rejecting anyone. Eventually
I may. I noticed most mailing lists fail spf but pass DKIM, and
opendmarc is satisfied.

Here is the postfix log (sanitized). You can see the claws spf passes.
Good enough for me. DKIM passing would verify the content was not
altered, but for a mailing list, who cares.
-------------
eb 18 01:21:01 centos-1gb-sfo1-01 postfix/smtpd[3630]: connect from srv.colino.net[212.83.157.151]
Feb 18 01:21:01 centos-1gb-sfo1-01 postfix/smtpd[3630]: Anonymous TLS connection established from srv.colino.net[212.83.157.151]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Feb 18 01:21:03 centos-1gb-sfo1-01 policyd-spf[3638]: spfcheck: pyspf result: "['None', '', 'helo']"
Feb 18 01:21:03 centos-1gb-sfo1-01 policyd-spf[3638]: None; identity=helo; client-ip=212.83.157.151; helo=mx.colino.net; envelope-from=users-bounces at lists.claws-mail.org; receiver=lists at example.com
Feb 18 01:21:03 centos-1gb-sfo1-01 policyd-spf[3638]: spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'mailfrom']"
Feb 18 01:21:03 centos-1gb-sfo1-01 policyd-spf[3638]: Pass; identity=mailfrom; client-ip=212.83.157.151; helo=mx.colino.net; envelope-from=users-bounces at lists.claws-mail.org; receiver=lists at example.com
Feb 18 01:21:05 centos-1gb-sfo1-01 postfix/smtpd[3630]: 3007069BE9: client=srv.colino.net[212.83.157.151]
Feb 18 01:21:05 centos-1gb-sfo1-01 postfix/cleanup[3639]: 3007069BE9: message-id=<20180217201942.2ec50a63 at pfortin.com>
Feb 18 01:21:05 centos-1gb-sfo1-01 opendkim[1143]: 3007069BE9: srv.colino.net [212.83.157.151] not internal
Feb 18 01:21:05 centos-1gb-sfo1-01 opendkim[1143]: 3007069BE9: not authenticated
Feb 18 01:21:05 centos-1gb-sfo1-01 opendkim[1143]: 3007069BE9: bad signature data
Feb 18 01:21:05 centos-1gb-sfo1-01 opendmarc[1140]: 3007069BE9 ignoring Authentication-Results at 2 from www.example.com
Feb 18 01:21:05 centos-1gb-sfo1-01 opendmarc[1140]: 3007069BE9 ignoring Authentication-Results at 4 from mx.colino.net
Feb 18 01:21:05 centos-1gb-sfo1-01 opendmarc[1140]: 3007069BE9: SPF(mailfrom): users-bounces at lists.claws-mail.org pass
Feb 18 01:21:06 centos-1gb-sfo1-01 opendmarc[1140]: 3007069BE9: pfortin.com none
Feb 18 01:21:06 centos-1gb-sfo1-01 postfix/qmgr[1276]: 3007069BE9: from=<users-bounces at lists.claws-mail.org>, size=6245, nrcpt=1 (queue active)
Feb 18 01:21:06 centos-1gb-sfo1-01 postfix/virtual[3640]: 3007069BE9: to=<lists at example.com>, relay=virtual, delay=4.1, delays=4.1/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)

More information about the Users mailing list