DKIM signature verification | MDaemon Technologies, Ltd.
  1. Forum
  2. Security Gateway
  3. DKIM signature verification

DKIM signature verification

  • O

    Hello,

    Lately I have been receiving more and more SPAM with false DKIM signatures. Unfortunately, I can't find an option in SG to reject mails with incorrect DKIM signatures.

    I would be grateful for any helpful hints.

    Regards
    Oliver

    The following errors are in the recording:
    Sat 2025-03-15 01:37:29: -- Execute from: DKIM --
    Sat 2025-03-15 01:37:29: DKIM check is being performed
    Sat 2025-03-15 01:37:29: * DKIM-Signature 1: v=1; a=rsa-sha256; c=relaxed/relaxed; s=sailthru; d=refinery29. com; :Subject:MIME-Version:Content-Type: List-Unsubscribe-Post: List-Unsubscribe; i=thisweek@refinery29.com; yDJKfn9cKw8bKYU0Wb6WI=; zczgihVXwwlTl2H5nHjhXZriCVH4Lz2IOYVDFjK4c4OwroY2oGPqD 4TOdIp86pXBFn5jOKM4eQO4dXAmX/eIUYDdecEub+QzPOr/ZyeO7XG09qvU02MRwdyAN+PF7kyTV duuGTD3m3hR0qMvvdGo=; <some tags are not logged>
    Sat 2025-03-15 01:37:29: * Result of the check: [-15] DKIM_BODY_HASH_MISMATCH
    Sat 2025-03-15 01:37:29: * DKIM-Signature 2: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mt; d=pmta.sailthru. com; :Subject:MIME-Version:Content-Type: List-Unsubscribe-Post: List-Unsubscribe; yDJKfn9cKw8bKYU0Wb6WI=; MCMp54CBiJMmJyUqbi6s/gRwHA4CiT5fUl23Faq9e00/5DDKNw7NI Wy6gvj8SvodpvEa9Ligdw6/rK/j345dCigV3qlXRNhg4jJRyfH92fmNFvIJCWNaC/EfdjRG4QDod 8HFJvXzCzA9XHI90ooA=; <some tags are not logged>
    Sat 2025-03-15 01:37:29: * Result of the check: [-15] DKIM_BODY_HASH_MISMATCH
    Sat 2025-03-15 01:37:29: * Result: neutral
    Sat 2025-03-15 01:37:29: Message does not contain a valid DKIM signature
    Sat 2025-03-15 01:37:29: -- End: DKIM (0.072124 seconds) --

    Sat 2025-03-15 01:37:30: * DKIM: domain “refinery29.com” (from d= of signature #1) failed verification
    Sat 2025-03-15 01:37:30: * DKIM: domain “pmta.sailthru.com” (from d= of signature #2) failed verification

    0 likes
  • A

    DMARC is the easiest and best way to take action on messages that fail DKIM. (Security | Anti-Spoofing | DMARC Verification) It requires the sender to publish a DMARC policy, and in addition to the DKIM signature, SPF results and the organizational domain of the From header are taken into consideration.

    For more information on DMARC, please see https://dmarc.org/

     

    --
    Arron Caruth

    0 likes
  • O

    However, the problem is if the owner of the domain has not configured DMARC.
    In this case, the message is allowed through in SG despite the incorrect DKIM signature, as the DMARC check fails because it is not present.

    Tue 2025-03-18 19:36:31: DKIM check is performed
    Tue 2025-03-18 19:36:31: * DKIM-Signature 1: v=1; a=rsa-sha256; c=relaxed; d=dd28e81280.nxcli. io; essage-id:mime-version: content-type; s= default; xysOBfsWRhQ6vXvOL2G24=; 3FXtERP2JTy8bPzJVYJHEKK1IBC+AkETXAySRi/eYr++Tg EURlbo0cO7DhvbZ3JyxejweGczJu6fVXzjH6MfzjweqPJCFm6fTuil1UUaH9Cbb8 sV9CUXrcSQurkCeByPSgZtvlKsR3HaSFUy23Tf69pXlVENe+QdE/ILHu1Rt9Bqiv PE3NrwNar3qR9tJWxYYvHNnLScmbke/KHZgU25SpE3V0hH3eC0zH9hArH3KNLdwe BxtDWkOro2IGDJ/qsUfPZhKTsKqYco8NUvOtbfc/DAPVZg6cd+wIbVlflY58TVCS qatJ7YFvHn0DU0MkXg==; <some tags are not logged>
    Tue 2025-03-18 19:36:31: * Result of the check: [-11] DKIM_SELECTOR_DNS_PERM_FAILURE
    Tue 2025-03-18 19:36:31: * Result: neutral
    Tue 2025-03-18 19:36:31: Message does not contain a valid DKIM signature
    Tue 2025-03-18 19:36:31: -- End: DKIM (0.018829 seconds) --
    Tue 2025-03-18 19:36:31: -- Execute from: DMARC --
    Tue 2025-03-18 19:36:31: DMARC processing is in progress
    Tue 2025-03-18 19:36:31: * MessageID: <3Uy6TMezRolTmM2wBodR0TMFKykOOMqUOQlSGJSMZo@intakeauthority.com>
    Tue 2025-03-18 19:36:31: * Author domain: intakeauthority.com
    Tue 2025-03-18 19:36:31: * Organizational domain: intakeauthority.com
    Tue 2025-03-18 19:36:31: DMARC query is in progress
    Tue 2025-03-18 19:36:31: * Query domain: _dmarc.intakeauthority.com
    Tue 2025-03-18 19:36:31: * No DMARC policy record found
    Tue 2025-03-18 19:36:31: * DMARC result none (take no action)
    Tue 2025-03-18 19:36:31: -- End: DMARC (0.022878 seconds) --

    0 likes
  • O

    And yet another phishing mail that has passed all the checks but has a faulty DKIM signature. However, this is not taken into account because the domain owner has not filed a DMARC. I don't understand SecurityGateway's logic here.

    0 likes
  • A

    My apologies for the delay. 

    The RFC for DKIM does not deal with handling messages that have a bad signature, that is left to DMARC.  Unfortunately I have not found a way to have SG take punitive action solely based on the result of the DKIM signature.  I'll add a wishlist item that will be considered for future versions. 

    If you'd like to share more information about the messages, we can see if we can find another way to detect them?  A copy of the EML flie along with the entire log transcript would be needed.

     

     

     

     

    --
    Arron Caruth

    0 likes
  • O

    Adding it to the wish list would be great. Thank you!

    0 likes
Please login to reply this topic!