DKIM Error
-
Arron, thank you very much. Content filtering addition of ("X-MDDKIMSelector") worked correctly. Items are now being signed correctly.
-
PEM INFORMATION
[EXTERNAL DOMAIN].COM._domainkey.[PRIVATE DOAMIN].local. IN TXT
"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzdBzxQ5I4WJXPcRXo9ppHI20kbIPQL4XJRzmDWNbqUgWJv8Sr70DU5REyieRXnV+mTWHqczxC9WSUWz3ofYENalqyZNJLa2gQ0wMZ5JgYckDDRJvNs7d+CdEdQaAz4MlI/XxrfUn4jNXcGcsbGFM1vEmSX40U1JglNqkNh1NVeujHVM8vmgG23TcuJnK45K/Gv49UaUz"
"LUJYRoniFR0Yp6Pz0GlL3cwhFB5elP+tVu4o5jH+bPlLcrS7sKhYsPZyOp29RKsI2lFGi9GGC+GIBvkV3OXaAv7Zdz7U0niHqbQg/A556Xngk4j39f3Cqw5mWDI3VIF7Wc63k5tDfThZwQIDAQAB"
I’m still question the naming of our PEM. Although I understand I can enter any value in the “DEFAULT SELECTOR” in Mdaemin (DKIM), then passing this to our ISP so they can then add it to our DNS record.
Mdaemon only understands my local domain and not my public, so even though I’m forcing the signing and being sure all references to my localdoamin are gone from the email the world still doesn’t trust my emails.
So this is where I’m at with diagnosing the test email.
We ran the header of this email through (‘https://mxtoolbox.com/EmailHeaders.aspx”) and found the following:
Public
v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuEzPOstB2xOPAN6K6vUo8CA2fXym5vzuB0Y+Z2bGwsWZGJz3Bb3SForXcZaStf0a41OSE20uJxPHc+mJWbghF8DnyahcSwNvs1RueNbOIrFPiOCVFZ5cyDaf7PLySgDTXHebcexWrw8rDO1RXH1zxTTDsYKtnhqqigfAc/7JA1FRf048H26pECGfJObMCIp1ikc1bo4EyEayqZwDViYWivv96WGeVuMFT4h7yclW8xWiJduUgO9MhM1iR6xGdBLjaxDi+liTMNKdSNe1sWX0iMsaKHTP77HEzZDf2MvqxpMtqTS7y11aMlcmwK+kzpEox++je82kUzl5/3AhieAHdQIDAQAB
Dkim Signature:
v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Public domain]; s=[Public domain]; t=1682602858; x=1683207658; q=dns/txt; h=Date:Message-Id:Reply-To:From:To:Cc:Subject: IMPORTANCE:Status:MIME-Version:Content-Type; bh=vs57kWhOYkKrDw6+ Yl7MqEJx5+iUnIZxAUweU6YQK0M=; b=ERdo58n9/a2Jxn+qQTeWqpP5E5/goY7e SIwc0V1D6+nRPWKhFn/Qt9m4KWLx5BINhQbXQFhLU9b+c00D/rHbsYYoLMlO88+q ZhnrkFOXXWJbk8CduECi/K4xZQZwnjiFjnpKl0C8u9vK9JqTabQR/X+WzLFRTQKj 8yNzQAdq1fQ=
When viewing the mail via a web browser on GMAIL it shows an error
Security: [External Domain].com did not encrypt this message Learn more
Reviewing the content of the email we see the following:
Delivered-To: [myemailaddress]@gmail.com
Received: by 2002:ac8:7c4:0:b0:3ef:332f:643 with SMTP id m4csp366181qth;
Thu, 27 Apr 2023 06:18:41 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ5TTps6FB40C2Wrck7WKCQ/66Q3gLXvw9LC3RLHlEV28gGvXs78PhNf41ECDxjKVdXuBHgl
X-Received: by 2002:ad4:5c6e:0:b0:5ea:c6f7:6d53 with SMTP id i14-20020ad45c6e000000b005eac6f76d53mr2263718qvh.31.1682601521246;
Thu, 27 Apr 2023 06:18:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682601521; cv=none;
d=google.com; s=arc-20160816;
b=F5gJcVZxi+RdYbq6wQmubAqsScTKZUyZxSmP5VvJK8/ZP1PLwWxAM7rWanU/3YWmyX
OWcv9QmnNrGwdXPWPwEL36Q4JSAyJZF2k+hgKgzzB/zLA6sDJl6BDx8qLbinHu1myitu
vVc64fFoTH1dr5lEXNsTV85f57brQYCAyslNYh+GuxcHJPFDVaMmUFVBnKGs8GUh64Ro
uO2uFewQiCg2P7FRVhTZxO8FM4jTX1I7wzByQdonquIJZODit8bWLAP4TCtf2eo5JGgW
JNwH1W2hF3hGZKkHU9uDe8wOjrhPwp9YD6rynoueGjQBeX+04OVpI7vnjw1ca4G47aKE
wT6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:status:importance:subject:cc:to:from:reply-to
:message-id:date:dkim-signature;
bh=cJA/IdYZROqBaie1f5YMIDy29ahgZaU3psbsZcbzzyc=;
b=OLedvsxNqSObB62IR1IRxdx7kLEg8LMNw2j56YxPH4fszhiy7va+nIBXWFRc4w8/zu
WTb1DS5OaO4JFTVoGy/hrXd89D0X02oaOsTEkmIDFcFx/o03WkHOXPVOnp0H5XUlbnuv
UraQJMruDTIcPkT7PBENUc0e1m9uRJysx3y/b6R2ZC+IP9vb1lTkWuCzrZfzECzpXiWV
1uUW2OM32sEzmcZCVVNm7819wWF8USrycWjKsqPOcFeaAYpdQhPPUTSQG458zHpMN5su
KHM8t7ZoA+2GEQ4b/hHrIwWTmm1TNU/LvurYGrxrtbnnPDv51m7wg1f/yrGhndxSXO/l
lHkg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@[EXTERNAL DOMAIN].COM header.s=[External Domain].com header.b=UH01miIr;
spf=pass (google.com: domain of prvs=1481fc8853=info@[External Domain].com designates [XXX.XXX.XXX.XXX] as permitted sender) smtp.mailfrom="prvs=1481fc8853=INFO@[External Domain].com";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=[External Domain].com
Return-Path: <prvs=1481fc8853=INFO@[External Domain].com>
Received: from mail.[External Domain].com (mail.[External Domain].com. [[XXX.XXX.XXX.XXX]])
by mx.google.com with ESMTP id i20-20020ac85e54000000b003f1916ad1a4si2335147qtx.408.2023.04.27.06.18.41
for <xxxxxxxxx@gmail.com>;
Thu, 27 Apr 2023 06:18:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of prvs=1481fc8853=info@[External Domain].com designates [XXX.XXX.XXX.XXX] as permitted sender) client-ip=[XXX.XXX.XXX.XXX];
Authentication-Results: mx.google.com;
dkim=fail header.i=@[EXTERNAL DOMAIN].COM header.s=[External Domain].com header.b=UH01miIr;
spf=pass (google.com: domain of prvs=1481fc8853=info@[External Domain].com designates [XXX.XXX.XXX.XXX] as permitted sender) smtp.mailfrom="prvs=1481fc8853=INFO@[External Domain].com";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=[External Domain].com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[EXTERNAL DOMAIN].COM; s=[External Domain].com; t=1682601457; x=1683206257; q=dns/txt; h=Date:Message-Id:Reply-To:From:To:Cc:Subject: IMPORTANCE:Status:MIME-Version:Content-Type; bh=cJA/IdYZROqBaie1 f5YMIDy29ahgZaU3psbsZcbzzyc=; b=UH01miIr0BnfU/qiDbjrhufpjh2EMjTd 5L3pJYwM30ura/DZK4TE2xHNrdgaElbEyJO/IrcFiSwETAv2nTK2q8vxBOwz/Zda JKtgx16WRK8z8sn6ez40m/ERyyPIoi0JypiCFQLbPdyVAN4/bJL6OXc9YagcZjcv GypZ1LvnXuM=
X-MDAV-Result: clean
X-MDAV-Processed: mail.[External Domain].com, Thu, 27 Apr 2023 09:17:37 -0400
Received: by mail.[External Domain].com with ESMTPS id md5001000247302.msg; Thu, 27 Apr 2023 09:17:36 -0400
X-Spam-Processed: mail.[External Domain].com, Thu, 27 Apr 2023 09:17:36 -0400 (not processed: message from trusted or authenticated source)
X-MDOP-RefID: str=0001.0A742F19.644A2745.0007,ss=3,sh,re=0.000,recu=0.000,cl=3,cld=1,fgs=0 (_st=3 _vt=0 _iwf=0)
X-MDRemoteIP: 192.67.68.80
X-MDHelo: [External Domain].com
X-MDArrival-Date: Thu, 27 Apr 2023 09:17:36 -0400
X-Return-Path: prvs=1481fc8853=INFO@[EXTERNAL DOMAIN].COM
X-Envelope-From: INFO@[EXTERNAL DOMAIN].COM
X-MDaemon-Deliver-To: xxxxxxxx.00@GMAIL.COM
Received: from localhost.localdomain (localhost [127.0.0.1]) by [External Domain].com (8.14.7/8.14.7) with ESMTP id 33RDHZ71020021 for <[myemailaddress]@GMAIL.COM>; Thu, 27 Apr 2023 09:17:35 -0400
Received: (from scott@localhost) by [External Domain].com (8.14.7/8.14.7/Submit) id 33RDHZax020013; Thu, 27 Apr 2023 09:17:35 -0400
Date: Thu, 27 Apr 2023 09:17:35 -0400
Message-Id: <202304271317.33RDHZax020013@[External Domain].com>
Reply-To: CENTRAL STATION <DONOTREPLY@[External Domain].com>
From: CENTRAL STATION <INFO@[External Domain].com>
To: xxxxx <xxxxx@gmail.com>
Cc:
Subject:
IMPORTANCE: HIGH
Status: O
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="xxxxx_File_Descriptor_535431TD738639.38721065"
X-MDCFSigsAdded: [EXTERNAL DOMAIN].COM
X-Antivirus: Avast (VPS 230427-0, 4/26/2023), Outbound message
X-Antivirus-Status: Clean
--DXXX_File_Descriptor_535431TD738639.38721065
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
-
Jared Staff
Hello Scott,
You noted that this is the public DKIM key found in your PEM folder:
"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzdBzxQ5I4WJXPcRXo9ppHI20kbIPQL4XJRzmDWNbqUgWJv8Sr70DU5REyieRXnV+mTWHqczxC9WSUWz3ofYENalqyZNJLa2gQ0wMZ5JgYckDDRJvNs7d+CdEdQaAz4MlI/XxrfUn4jNXcGcsbGFM1vEmSX40U1JglNqkNh1NVeujHVM8vmgG23TcuJnK45K/Gv49UaUz""LUJYRoniFR0Yp6Pz0GlL3cwhFB5elP+tVu4o5jH+bPlLcrS7sKhYsPZyOp29RKsI2lFGi9GGC+GIBvkV3OXaAv7Zdz7U0niHqbQg/A556Xngk4j39f3Cqw5mWDI3VIF7Wc63k5tDfThZwQIDAQAB"
Did you find the above information within the default selector subfolder in your \MDaemon\PEM directory?
When you performed a message header analysis in MXToolbox, it showed this as your public DKIM record in DNS:
v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuEzPOstB2xOPAN6K6vUo8CA2fXym5vzuB0Y+Z2bGwsWZGJz3Bb3SForXcZaStf0a41OSE20uJxPHc+mJWbghF8DnyahcSwNvs1RueNbOIrFPiOCVFZ5cyDaf7PLySgDTXHebcexWrw8rDO1RXH1zxTTDsYKtnhqqigfAc/7JA1FRf048H26pECGfJObMCIp1ikc1bo4EyEayqZwDViYWivv96WGeVuMFT4h7yclW8xWiJduUgO9MhM1iR6xGdBLjaxDi+liTMNKdSNe1sWX0iMsaKHTP77HEzZDf2MvqxpMtqTS7y11aMlcmwK+kzpEox++je82kUzl5/3AhieAHdQIDAQAB
While both of those records start off identical, they are actually very different.
Did you generate a new DKIM public and private key pair in MDaemon for your default selector after you had already published your DKIM record in DNS?
--
Jared Charles
-
To answer your question, it probably has been modified.
This goes back to my previous post (noted below).
"I’m still question the naming of our PEM. Although I understand I can enter any value in the “DEFAULT SELECTOR” in MDaemon (DKIM), then passing this to our ISP so they can then add it to our DNS record.
Mdaemon only understands my local domain and not my public, so even though I’m forcing the signing and being sure all references to my localdoamin are gone from the email the world still doesn’t trust my emails."
Example (see below): I named the new PEM [TEST] and then the system prepends my [local domain.local ] by default. I pass this to my isp to post in our public DNS records. So if my email is being sent to our isp using my external domain (i.e. [public domain.com]), how can my identity be verified if my [local domain.local] is a part of the overall record. My first thought would be to manually change my [local domail.local] to match the current external domain in the PEM record.
Can you help me better understand how this ([TEST]._domainkey.[local domain].local. IN TXT) can be modified this to work correctly?
Newly created record.
[TEST]._domainkey.[local domain].local. IN TXT
"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhcjym/CZqFRFckjvzhnyHiMmBO5smeTtTggAYhwiyRL0EJBUxRZ9usvuiSrvNRAwhBu0v2M1lRg5W7+M2xnY/qa74jmkdAW28+ErlU1sPXLIPpofTeZXcQcNXItne52yE+x2NG41k5NB4E1vouB3o0ZVxWIWA3QpvkH+SzI6+jl0kgx8XLg5IJzNPopJW9vYQvn1b4i"
"c6v8XAP7/G5emDRvy7UjtABhOV/Bz1fRUbZ26jW7Y5PFOz9FxJG9+wMpCX/GWgEKcGbkzBmQGYS+mHClB+U6ZfJzEn+ocWLNqbZwSjJZrp4Rj5pl0jzYn7GR/VUA654ue1j1lR8kxPKSgQIDAQAB"
-
Arron Staff
You should not be including localdomain.local in the DNS information that is published. The selector record needs to be created at selector._domainkey.domain.com. So if you are using "Selector1" as the selector and "domain1.com" as your public domain, then the selctor record needs to be published at Selector1._domainkey.domain1.com.
The other thing to consider is how you are changing all information in the message from localdomain.local to publicdomain.com. MDaemon "should" be making all these changes prior to signing the message. Or if you are doing it outside of MDaemon that the change is occurring after the message is signed, which will not work.
I also noticed that the DKIM signature has the following:
d=[EXTERNAL DOMAIN].COM; s=[External Domain].com
I don't think "." are allowed in the selector. If you are actually using "domain.com" as the selector, I would reccomend removing the period.
-
Arron,
Per your instructions (see new DKIM record below):
I've made the selector a simple name without any special characters.
I made sure that all changes from localdomain.local to publicdomain.com are done in content filtering with a signing request as the last item.
This new DKIM record was sent to our ISP with a request to pull down all others (if any) leaving this as the sole record.
Again, thank you for all the clarification in the "does and don't" of signing mail.
DKIM selector record for DNS:
Public._domainkey.[public domain.com]. IN TXT
"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27/hg8o0FwUvird+zKKYgOQ4YzDkSHfhfnu1cmsTa9RVBZpvndn7pBf0F20ruQQSO6JShYfrX2RhS2Xc/McuJ3JsplnPKjNT/EnHQPU3+q02DPaP27/Gjj1jiFgCw20xlFUfzBh7yxPsnG/N54PZRC/jShHQjxj/B0vlOWFshybizIwVJcRLGKh/YFFlX7Tq0R7Hhbgx"
"tdztqTEiN/S15OOxyVliJ0w9qxv6oOqIp9UZX/QVoSB/0KU3bs1knHVfTPy4VX0JYL+Y0DA86g+twE+YZlXonWp3blbvePYGNoPlX8NgKFy2guB6uhpcLMt6U9OwYrqtlJLGmRZlT6YGIQIDAQAB"
-
Arron,
Things are looking much cleaner, but gmail has a problem with out mail.
Email received @ my gmail account sent from within our network. Looking at the content at gmail is shows Dkim "pass header"; which seems correct. (see below)
Authentication-Results: mx.google.com;
dkim=pass header.i=@[external domain] header.s=Public header.b=b6Ixwxb5;
spf=pass (google.com: domain of prvs=1486e5fc6d=scott@[external domain] designates 216.57.***.**** as permitted sender) smtp.mailfrom="prvs=1486e5fc6d=scott@[external domain]";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=[external domain]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[external domain]; s=Public; r=y; l=166381; t=1683051309; x=1683656109; q=dns/txt; h=From:To:Date:Message-Id:Reply-To: User-Agent:MIME-Version:Content-Type; z=Received:=20by=20mail.[public domain]=20with=20ESMTPSA=20id=20md5001000255318.msg=3B=20Tue,= 2002=20May=202023=2014=3A15=3A09=20-0400|From:=20"Scott=20*****"=20<scott@[external domain]>|To:=20"SCOTT=20******"=20<*******@GMAIL.COM>|Date:=20Tue,=2002=20May=202023=2018=3A15=3A07= 20+0000|Message-Id:=20<emde80e5ae-ca1f-4f26-97eb-1c6d0e268df7@e2 c990ab.com>|Reply-To:=20"Scott=20**********"=20<scott@*******>|User-Agent:=20eM_Client/9.2.1553.0|MIME-Version:=201.0|Conten t-Type:=20multipart/related=3B=20boundary=3D"------=3D_MBAB315A8 6-5BDB-48C1-9509-7781C6CB2EF1"; bh=F2Z9XuoS59ZvrNSerndSAimA8MJof AOAxKn5JmXUVKk=; b=b6Ixwxb58DK8cZb6gB18NUkUoqsGLC7+faWHSpFjf1dhm Q/Vo64dK81dYCTseoOVZxu7MJXNV0OYbV7kgoWiSZWD0kwHM3E86/RseWly6N4q5 TJ7hWm/7zESTHjL046/r6a1cMnxXG2CrhHOoU6mk1ykSPTuXrnA7LkD8HIep2Nxf XuByxuu9OFmFDZ7lWaMSbMntGN59vGyapYzo66wtEqg02s4W3xpdfv/MTLvCW5E6 nRWJ50KlQ9jKKOjQt1TXYkBQWD4HcK84pBmOf4fGrz+IVqe0B/SU06f3lyQG3up1 yt28dfyyFkIOVAzYCESfirbI5EKm1R1+lWC5kaGIQ==When you open an email in Gmail it shows a red lock symbol. When you click on this link the following is displayed
from: Scott **** scott@[Public domain] reply-to: Scott *****<scott@[Public domain]> to: SCOTT ***** <*******@gmail.com> date: May 2, 2023, 2:15 PM subject: mailed-by: [Public domain] signed-by: [Public domain] security: [Public domain] did not encrypt this message Learn more : Important mainly because it was sent directly to you. So if "dkim=pass header" then why is it not encrypting the message?
We then used a tool that examines the email header and it shows the body hash did not verify. Why?
Test Result DKIM Signature Body Hash Verified Body Hash Did Not Verify More Info DKIM Record Published DKIM Record found DKIM Syntax Check The record is valid DKIM Public Key Check Public key is present DKIM Signature Syntax Check The signature is valid DKIM Signature Identifier Match Signature domain match DKIM Signature Alignment Signature domain in alignment. DKIM Signature Duplicate Tags Signature tags are unique DKIM Signature Expiration The signature is not expired - 5/9/2023
-
Arron Staff
So if "dkim=pass header" then why is it not encrypting the message?
A DKIM signature is not encryption. A DKIM signature is a hash of the message that can be used to verify that it was sent by the domain included in the d= value of the signature and that the message was not altered after it was signed.
Based on the tests I ran with gmail, the fact that its showing the message was not encrypted, tells me that you do not have SSL/TLS enabled on your server, or there is a configuration issue. I'd start by making sure you have it enabled and a certificate configured. Security / Security Settings / SSL & TLS / MDaemon. You can also check your outbound SMTP log to see information about the TLS negotiation Once this is addressed gmail will show something like this:
security: Standard encryption (TLS) We then used a tool that examines the email header and it shows the body hash did not verify. Why?
Typically a body hash mismatch error means that the message body has been modified since it was signed. I don't have an account with MXToolbox, so I can't see the details available when you click the More Info. What do they say?
Where did you get the message from to test the signature? If you copied it from gmail, it is entirely possible that gmail altered the message after verifying the signature, or that the content copied from the site does not match exactly with what was signed.
I would be shocked if gmail accepted and considered a DKIM signature valid when its not.
You could test with another DKIM tester.
Also, you might have better results if you freeze the remote queue and take a copy of the MSG file from the remote queue for testing after it has been signed.
-
Thank you very much for your time on this matter Arron, we have this issue under control.
- 1
- 2 / 2