Back to Community Threads
4
DKIM fail
Problem reported by Omar Escalante - 1/23/2021 at 6:47 AM
Submitted
Hello,

I am looking to sign with DKIM.
We have the latest version SmarterMail Enterprise Build 7685 (Jan 15, 2021)

* The Godaddy Premium zone are OK and tested by easydmarc.com , www.mimecast.com/products/dmarc-analyzer/dkim-check/, dmarcly.com
The report from dmarcly, as example is:

Success!

Everything appears fine with your DKIM record.


* The DKIM is running at Server: "DKIM is running on this domain and signing outbound mail. "
The DKIM Settings are:
Key Size 2048 (recommended)
Max message size to sign (Mb): 0
Body Canonicalization: Relaxed
Header Canonicalization: Relaxed
Headers Fileds to Use: All fields

But, when I send a test email to mxtoolbox.com, ondmarc.com or http://isnotspam.com the test fails
Here is the report from ONDMARC.COM

 DKIM evaluation failed.


  • The message has a valid signature, but it does not match the signature of the sending domain. This probably means that the message was modified somewhere along the way.

  • This is the raw error:

        "error": "bad signature",    "explanation": "crypto/rsa: verification error",    "source": 0,    "tag": "b" }

How can I solve it?

Thank you

  •

16 Replies

Reply to Thread
0
Omar Escalante Replied
1/27/2021 at 5:19 AM

I found, if I use the 2048 recommended key size, GMAIL answers:


 ...
 ARC-Authentication-Results: i=1; mx.google.com;
        dkim=fail ...
 ...
 Authentication-Results: mx.google.com;
        dkim=fail ...
 ...


 But, if I use only 1024 key size, GMAIL answers:


 ...
 ARC-Authentication-Results: i=1; mx.google.com;
        dkim=NEUTRAL...
 ...
 Authentication-Results: mx.google.com;
        dkim=NEUTRAL...
 ...
1
Sébastien Riccio Replied
1/27/2021 at 7:57 AM
Hello Omar,

Could it be that the 2048 bit DKIM key you need to have in GoDaddy DNS for your domain is too long and need to be splitted in multiple chains ?

https://support.google.com/a/answer/173535?hl=en
check "Domain keys and TXT record limits" chapter

check "DKIM 1024 vs 2048" chapter (he seems he uses godaddy for DNS too)

Kind regards.
Sébastien Riccio System & Network Admin https://swisscenter.com
0
Omar Escalante Replied
1/27/2021 at 9:14 AM
Thank you Sebastien,

I made the check, but this is not the reason. Godaddy suports 1024. This is big enough. We did not receive a rejection msg. I can write the record, and the server checked and approved it. Then I am able to ENABLE DKIM at Server:

DKIM is running on this domain and signing outbound mail.
 
  • TXT records have a maximum character limit of 1024 and only UTF-8 characters are supported.
0
Sébastien Riccio Replied
1/27/2021 at 10:13 AM
Okay, then I have no other ideas about the issue. It looked like a valid reason as the error you're facing is a key mismatch and it only happens with 2048 bit key not with 1024.

I have to check if we have 2048 bit keys used with SmarterMail, maybe the issue is on SmarterMal side ...
Sébastien Riccio System & Network Admin https://swisscenter.com
1
Employee Replied
1/27/2021 at 10:33 AM
Employee Post
I have found a scenario with DKIM reporting more bytes in the signature than there are actual bytes. This can cause SmarterMail itself to give a message a TempFail for DKIM.  @Omar, I recommend that you open a support ticket so they can pass along a custom build that may resolve this issue for you.
0
Omar Escalante Replied
1/27/2021 at 11:27 AM
Thank you Robert!!!
0
Douglas Foster Replied
1/27/2021 at 2:50 PM
Did you use SmarterMail to generate your key-pair?  I wonder if there is an occasional problem with the key generation algorithm.   OpenSSL and other tools can be used to generate the key pair

What size keypair did you generate?  1024-bit keys are weak but they fit in a single DNS segment.   Larger keys are more secure but need more than one DNS segment.
0
Omar Escalante Replied
1/28/2021 at 1:14 AM
Hello,

@Douglas Foster, Thank you for your suggestion. How can I save the private key into SMARTERMAIL server? I've been looking on it, and I can't find the way.

@Robert Emmet,
Now, with the new 7696 Build the situation is better (don't fail):

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@frimont.com header.s=8d8c36041d0fb93 header.b=rsCp5QEl;
       spf=pass (google.com: domain of omar.escalante@frimont.com designates 207.182.134.130 as permitted sender) 
The MXTOOLBOX report is 

DKIM Information:

DKIM Signature
Message contains this DKIM Signature: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=frimont.com; s=8d8c36041d0fb93; l=0;        h=content-type:mime-version:message-id:reply-to:date:subject:to          :from;        bh=re9n9U7TxhyW58+HSF6gDn6coz3WQQlUg/fgZk/QwjA=;        b=ikzn+aQLzYEHsityCM3E4RJ+0rOPWClGTVI1Xuxn41E3un2YQR+16KUCv6KT6mYTe          okW8MvXJYfLanVtW40cQQaZv4+g8q/mdasGpgY3q8DZ2HoIExBxXk5FHgKLq794If          mWDKSEymTWFKpmOEdeS4lXOT12hKQEHSVYQNhvufw= 

Signature Information: v= Version:         1 a= Algorithm:       rsa-sha256 c= Method:          relaxed/relaxed d= Domain:          frimont.com s= Selector:        8d8c36041d0fb93 q= Protocol:        bh=                 re9n9U7TxhyW58+HSF6gDn6coz3WQQlUg/fgZk/QwjA= h= Signed Headers:  content-type:mime-version:message-id:reply-to:date:subject:to          :from b= Data:            ikzn+aQLzYEHsityCM3E4RJ+0rOPWClGTVI1Xuxn41E3un2YQR+16KUCv6KT6mYTe          okW8MvXJYfLanVtW40cQQaZv4+g8q/mdasGpgY3q8DZ2HoIExBxXk5FHgKLq794If          mWDKSEymTWFKpmOEdeS4lXOT12hKQEHSVYQNhvufw=

Public Key DNS Lookup
Building DNS Query for 8d8c36041d0fb93._domainkey.frimont.com
Retrieved this publickey from DNS: v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7QkcpsKbYNOAUaDkhg1045lj1kkB+QRFAKw+g0iV87KbM/Gt/k5RYzuGBXSgOv8QIkfeVV9mlBpf6AQiz2HpZ3HWkyYKwg4tM3MV8LeWbKGmhSV2NcIA55tegbpVbb4zQ5zfik1gzvFs7RPiq2y6OfXUrMTjzDkpTsLE6x4pebtu0P1AnDmTZt4ykS0qBIWTcpINfLbiow3ZcIO5JbvKibUT5Yj6sJKHc0nEfEKUv1FjdbldCwsNDnwPjj96klers4687VtWAS+GBuT81E9PO8ldkHI60fWTwWpxuvSlnLJ5kziDqlM5vSD88VS1O1ifpXIF/HEgi23qLfLLtVvE4QIDAQAB

Validating Signature
result = fail Details: OpenSSL error: data too small for key size
How can I solve this (body hash did not verify) ?
Thank you
0
Michael Replied
1/28/2021 at 5:46 PM
We're also seeing  (body hash did not verify)  when emailing gmail.
0
Michael Replied
1/29/2021 at 9:30 PM
Build 7699 (Jan 29, 2021) may have attempted to solve this issue?
Release notes say
Fixed: Scenario where DKIM signature could have an invalid body length.

But we are seeing some cases when DKIM is still failing with body errors same as above.
0
Omar Escalante Replied
1/30/2021 at 12:59 PM
Yes, Michael. The problem is solved.
Sorry, but after update to build 7696 I forgot to reset the server. Then, after update and reset, DKIM is working

Now, the report from https://dkimvalidator.com/ is positive.

Public Key DNS Lookup
Building DNS Query for 8d8c36041d0fb93._domainkey.frimont.com
Retrieved this publickey from DNS: v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7QkcpsKbYNOAUaDkhg1045lj1kkB+QRFAKw+g0iV87KbM/Gt/k5RYzuGBXSgOv8QIkfeVV9mlBpf6AQiz2HpZ3HWkyYKwg4tM3MV8LeWbKGmhSV2NcIA55tegbpVbb4zQ5zfik1gzvFs7RPiq2y6OfXUrMTjzDkpTsLE6x4pebtu0P1AnDmTZt4ykS0qBIWTcpINfLbiow3ZcIO5JbvKibUT5Yj6sJKHc0nEfEKUv1FjdbldCwsNDnwPjj96klers4687VtWAS+GBuT81E9PO8ldkHI60fWTwWpxuvSlnLJ5kziDqlM5vSD88VS1O1ifpXIF/HEgi23qLfLLtVvE4QIDAQAB

Validating Signature
result = pass Details: 

With MX TOOLBOX:

0
Michael Replied
1/31/2021 at 2:12 PM
Humm... something is still funky for us.
We see  https://dkimvalidator.com/ show all is well. But if you email GMAIL we still see (body hash did not verify) 

Might be something specific with how GMAIL translates the keys.
0
Omar Escalante Replied
2/1/2021 at 11:59 AM
With GMAIL, this is working for us:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@frimont.com header.s=8d8c36041d0fb93 header.b=TltMzYxf;
       spf=pass (google.com: domain of omar.escalante@frimont.com designates 207.182.134.130 as permitted sender) smtp.mailfrom=omar.escalante@frimont.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=frimont.com
0
Michael Replied
2/1/2021 at 12:17 PM
Omar, what version of Smarter Mail did you generate your DKIM keys with?
0
Omar Escalante Replied
2/1/2021 at 1:11 PM
build 7696  
0
Douglas Foster Replied
2/1/2021 at 1:39 PM
To an earlier question:   It does not seem possible to use an externally-generated key pair.    I have not updated my keypair in a long time, and forgot how it was done.

This is a problem now that I have DMARC p=reject.   As soon as I try to generate a new keypair, SM will stop signing messages until the new public key if visible in DNS.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Setting up Email Signing (DKIM) for a DomainSmarterMail > Domain/User Configuration and Management
DMARC - In Simple TermsSmarterMail > Antispam and Antivirus
SPF - In Simple TermsSmarterMail > Antispam and Antivirus