4
DKIM fail
Problem reported by Omar Escalante - 1/23/2021 at 6:47 AM
Submitted
Hello,

I am looking to sign with DKIM.
We have the latest version SmarterMail Enterprise Build 7685 (Jan 15, 2021)

* The Godaddy Premium zone are OK and tested by easydmarc.com , www.mimecast.com/products/dmarc-analyzer/dkim-check/, dmarcly.com
The report from dmarcly, as example is:

Success!

Everything appears fine with your DKIM record.


* The DKIM is running at Server: "DKIM is running on this domain and signing outbound mail. "
The DKIM Settings are:
Key Size 2048 (recommended)
Max message size to sign (Mb): 0
Body Canonicalization: Relaxed
Header Canonicalization: Relaxed
Headers Fileds to Use: All fields

But, when I send a test email to mxtoolbox.com, ondmarc.com or http://isnotspam.com the test fails
Here is the report from ONDMARC.COM

 DKIM evaluation failed.


  • The message has a valid signature, but it does not match the signature of the sending domain. This probably means that the message was modified somewhere along the way.

  • This is the raw error:

        "error": "bad signature",    "explanation": "crypto/rsa: verification error",    "source": 0,    "tag": "b" }

How can I solve it?

Thank you

  • 
    

16 Replies

Reply to Thread
0
Omar Escalante Replied

I found, if I use the 2048 recommended key size, GMAIL answers:


 ...
 ARC-Authentication-Results: i=1; mx.google.com;
        dkim=fail ...
 ...
 Authentication-Results: mx.google.com;
        dkim=fail ...
 ...


 But, if I use only 1024 key size, GMAIL answers:


 ...
 ARC-Authentication-Results: i=1; mx.google.com;
        dkim=NEUTRAL...
 ...
 
Authentication-Results: mx.google.com;
        dkim=NEUTRAL...
 ...


1
Sébastien Riccio Replied
Hello Omar,

Could it be that the 2048 bit DKIM key you need to have in GoDaddy DNS for your domain is too long and need to be splitted in multiple chains ?

https://support.google.com/a/answer/173535?hl=en
check "Domain keys and TXT record limits" chapter

check "DKIM 1024 vs 2048" chapter (he seems he uses godaddy for DNS too)

Kind regards.
Sébastien Riccio
System & Network Admin

0
Omar Escalante Replied
Thank you Sebastien,

I made the check, but this is not the reason. Godaddy suports 1024. This is big enough. We did not receive a rejection msg. I can write the record, and the server checked and approved it. Then I am able to ENABLE DKIM at Server:

DKIM is running on this domain and signing outbound mail.
 
  • TXT records have a maximum character limit of 1024 and only UTF-8 characters are supported.
0
Sébastien Riccio Replied
Okay, then I have no other ideas about the issue. It looked like a valid reason as the error you're facing is a key mismatch and it only happens with 2048 bit key not with 1024.

I have to check if we have 2048 bit keys used with SmarterMail, maybe the issue is on SmarterMal side ...

Sébastien Riccio
System & Network Admin

1
Robert Emmett Replied
Employee Post
I have found a scenario with DKIM reporting more bytes in the signature than there are actual bytes. This can cause SmarterMail itself to give a message a TempFail for DKIM.  @Omar, I recommend that you open a support ticket so they can pass along a custom build that may resolve this issue for you.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Omar Escalante Replied
Thank you Robert!!!
0
Douglas Foster Replied
Did you use SmarterMail to generate your key-pair?  I wonder if there is an occasional problem with the key generation algorithm.   OpenSSL and other tools can be used to generate the key pair

What size keypair did you generate?  1024-bit keys are weak but they fit in a single DNS segment.   Larger keys are more secure but need more than one DNS segment.

0
Omar Escalante Replied
Hello,

@Douglas Foster, Thank you for your suggestion. How can I save the private key into SMARTERMAIL server? I've been looking on it, and I can't find the way.

@Robert Emmet,
Now, with the new 7696 Build the situation is better (don't fail):

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@frimont.com header.s=8d8c36041d0fb93 header.b=rsCp5QEl;
       spf=pass (google.com: domain of omar.escalante@frimont.com designates 207.182.134.130 as permitted sender) 
The MXTOOLBOX report is 

DKIM Information:

DKIM Signature

Message contains this DKIM Signature: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=frimont.com; s=8d8c36041d0fb93; l=0; h=content-type:mime-version:message-id:reply-to:date:subject:to :from; bh=re9n9U7TxhyW58+HSF6gDn6coz3WQQlUg/fgZk/QwjA=; b=ikzn+aQLzYEHsityCM3E4RJ+0rOPWClGTVI1Xuxn41E3un2YQR+16KUCv6KT6mYTe okW8MvXJYfLanVtW40cQQaZv4+g8q/mdasGpgY3q8DZ2HoIExBxXk5FHgKLq794If mWDKSEymTWFKpmOEdeS4lXOT12hKQEHSVYQNhvufw= Signature Information: v= Version: 1 a= Algorithm: rsa-sha256 c= Method: relaxed/relaxed d= Domain: frimont.com s= Selector: 8d8c36041d0fb93 q= Protocol: bh= re9n9U7TxhyW58+HSF6gDn6coz3WQQlUg/fgZk/QwjA= h= Signed Headers: content-type:mime-version:message-id:reply-to:date:subject:to :from b= Data: ikzn+aQLzYEHsityCM3E4RJ+0rOPWClGTVI1Xuxn41E3un2YQR+16KUCv6KT6mYTe okW8MvXJYfLanVtW40cQQaZv4+g8q/mdasGpgY3q8DZ2HoIExBxXk5FHgKLq794If mWDKSEymTWFKpmOEdeS4lXOT12hKQEHSVYQNhvufw=

Public Key DNS Lookup

Building DNS Query for 8d8c36041d0fb93._domainkey.frimont.com Retrieved this publickey from DNS: v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7QkcpsKbYNOAUaDkhg1045lj1kkB+QRFAKw+g0iV87KbM/Gt/k5RYzuGBXSgOv8QIkfeVV9mlBpf6AQiz2HpZ3HWkyYKwg4tM3MV8LeWbKGmhSV2NcIA55tegbpVbb4zQ5zfik1gzvFs7RPiq2y6OfXUrMTjzDkpTsLE6x4pebtu0P1AnDmTZt4ykS0qBIWTcpINfLbiow3ZcIO5JbvKibUT5Yj6sJKHc0nEfEKUv1FjdbldCwsNDnwPjj96klers4687VtWAS+GBuT81E9PO8ldkHI60fWTwWpxuvSlnLJ5kziDqlM5vSD88VS1O1ifpXIF/HEgi23qLfLLtVvE4QIDAQAB

Validating Signature

result = fail Details: OpenSSL error: data too small for key size
How can I solve this (body hash did not verify) ?
Thank you
0
Michael Replied
We're also seeing  (body hash did not verify)  when emailing gmail.
0
Michael Replied
Build 7699 (Jan 29, 2021) may have attempted to solve this issue?
Release notes say
Fixed: Scenario where DKIM signature could have an invalid body length.

But we are seeing some cases when DKIM is still failing with body errors same as above.
0
Omar Escalante Replied
Yes, Michael. The problem is solved.
Sorry, but after update to build 7696 I forgot to reset the server. Then, after update and reset, DKIM is working

Now, the report from https://dkimvalidator.com/ is positive.

Public Key DNS Lookup

Building DNS Query for 8d8c36041d0fb93._domainkey.frimont.com Retrieved this publickey from DNS: v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7QkcpsKbYNOAUaDkhg1045lj1kkB+QRFAKw+g0iV87KbM/Gt/k5RYzuGBXSgOv8QIkfeVV9mlBpf6AQiz2HpZ3HWkyYKwg4tM3MV8LeWbKGmhSV2NcIA55tegbpVbb4zQ5zfik1gzvFs7RPiq2y6OfXUrMTjzDkpTsLE6x4pebtu0P1AnDmTZt4ykS0qBIWTcpINfLbiow3ZcIO5JbvKibUT5Yj6sJKHc0nEfEKUv1FjdbldCwsNDnwPjj96klers4687VtWAS+GBuT81E9PO8ldkHI60fWTwWpxuvSlnLJ5kziDqlM5vSD88VS1O1ifpXIF/HEgi23qLfLLtVvE4QIDAQAB

Validating Signature

result = pass Details: With MX TOOLBOX:

0
Michael Replied
Humm... something is still funky for us.
We see  https://dkimvalidator.com/ show all is well. But if you email GMAIL we still see (body hash did not verify) 

Might be something specific with how GMAIL translates the keys.
0
Omar Escalante Replied
With GMAIL, this is working for us:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@frimont.com header.s=8d8c36041d0fb93 header.b=TltMzYxf;
       spf=pass (google.com: domain of omar.escalante@frimont.com designates 207.182.134.130 as permitted sender) smtp.mailfrom=omar.escalante@frimont.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=frimont.com
0
Michael Replied
Omar, what version of Smarter Mail did you generate your DKIM keys with?
0
Omar Escalante Replied
build 7696  
0
Douglas Foster Replied
To an earlier question:   It does not seem possible to use an externally-generated key pair.    I have not updated my keypair in a long time, and forgot how it was done.

This is a problem now that I have DMARC p=reject.   As soon as I try to generate a new keypair, SM will stop signing messages until the new public key if visible in DNS.

Reply to Thread