8
Possible DKIM issue since build 7719
Problem reported by Sébastien Riccio - 5/5/2021 at 4:01 AM
Resolved
Hello,

We have DKIM signatures enabled for a lot of domains. Most of them works correctly and can be validated without issue.

For example sending a mail to check-auth@verifier.port25.com validates the DKIM signing successfully.

However some customers recently reported that their DKIM signing is failing.
After some investigation I've noticed that old untouched signatures are working correctly. But for the recently enabled DKIM signing, the test fails.

To confirm this I've checked with my test domain this morning that DKIM was correctly working and it was.
Then disabled DKIM and re-enabled it (so it regenerated the keys).

Now the tests are failing for this domain and I'm not able to get it back to a working state.

Parsing the changelogs backwards I can find this in build 7719:

Changed: Generate/validate DKIM signatures now using message bytes rather than text. (Fixes potential encoding issues).

I wonder if that's the cause and would explain why previously created DKIM signatures are working and any new are failing.

Anyone else noticed an issue with (newly created) DKIM signatures post 7719 update ?

Kind regards.
Sébastien Riccio
System & Network Admin

34 Replies

Reply to Thread
0
Sébastien Riccio Replied
Update:

It doesn't seems to be related to a particular version.

With deeper troubleshooting I noticed that restarting SmarterMail make it signs with the correct DKIM key.
Then if I change the key for a domain again, it will fail signing until I reload the domain.

For me it looks like when you change the DKIM key for a domain that already uses DKIM it keeps somewhere in cache the old key and continue signing with it untill SM is reloaded or at least the domain...

Can maybe someone at ST confirm that it could be the issue ?

Kind regards.
Sébastien Riccio
System & Network Admin

0
Kyle Kerst Replied
Employee Post
Thanks for your follow-up on this Sébastien, I am working on getting a test set up on this now and will update you here and on your support ticket when complete. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Replied
After updating to Build 7810 (May 20, 2021), the sever has stopped DKIM singing on all domains that had it on. Setting appears on. Simply the server is not signing on outbound.

Others seeing this?
0
Sébastien Riccio Replied
Hello Michael,

We're running build 7810 and had no report (yet) of DKIM issues. I've checked if it was still working for 3 different domains by sending a mail to check-auth@verifier.port25.com and  they all returned "pass" for DKIM.

What results do you get if you try this from one of your domains ?

Kind regards
Sébastien Riccio
System & Network Admin

0
Michael Replied
It just doesn't sign DKIM. As if it is not enabled. I deleted and re-added for one domain (updating the DNS as well) and that domain is now signing. So it seems we'll need to delete/re-add for all? These domains haven't had their DKIM keys edited in quite some time. So maybe something added in newer versions need to delete and re-add (and now it's being enforced in 7810??)
0
Sébastien Riccio Replied
That is strange.
The tests I did was on domains with existing keys and I didn't have to re-add them. I did not test all domains we host but only on 3 random domains and it seemd ok.

In all cases this shouldn't happen. The need to disable/readd keys would be a catastrophic issue with multiple thousands of domains.

Maybe you should keep a bogus domain and open a ticket so they can review why this is happening.

Sébastien Riccio
System & Network Admin

0
echoDreamz Replied
Same here, we have quite a few users reporting DKIM problems. No changes have been made to any of these domains DNS and have worked in the past. This is a new issue.

All will the same result - 
DKIM-Result: fail (bad signature)
0
Sébastien Riccio Replied
Great... So there was a DKIM issue fixed in latest build but it created a new one :(
Sébastien Riccio
System & Network Admin

0
Chris Replied
Hello,

I updated today to 7810 and i also have the issue that DKIM is no more valid :(

Regards.
0
Sébastien Riccio Replied
I was able to have it also fail. The initial tests I did were from the webmail, and it passes.
But sending from the same account with a mail client + SMTP it fails ... :(

Can anyone confirm it also pass when using the webmail but fails through SMTP ?

EDIT: Also fails when using EWS from emClient At this point I would say it only works from Webmail.

EDIT2: Also works from MAPI.

To summarize DKIM signing in 7810

From webmail: Pass
From MAPI: Pass
From SMTP: Fail
From EWS: Fail
From EAS: TBD
Sébastien Riccio
System & Network Admin

0
echoDreamz Replied
Ours fails across all protocols for the domains I tested. Opened a ticket for this. 
0
Sébastien Riccio Replied
I did a few more tests removing the keys and creating new ones for a domain.

The result is the same with the new key (before and after a domain reload, same resuls):

Sent via:
  Webmail: pass 
  MAPI: pass (Outlook 2019)
  SMTP: fail (thunderbird)
  EWS: fail (emClien)
  EAS: fail (Android native app)

What a mess. I've updated our existing ticket about DKIM issues with the results.
Sébastien Riccio
System & Network Admin

0
Michael Replied
For us- When MAPI wasn't signing webmail also wasn't signing.

To urgently fix we deleted and re-added keys.

Deleted the DKIM keys by changing a setting, then changing back. Re-enabled. 
SM generated a new keypair. Added the public key to DNS. Enabled DKIM (it verified the public key was published).
Now domains are resigning again.
We did this on 5 domains.

I imagine a hotfix is needed. If someone is hosing hundreds or thousands of domains this would be a big point of pain.
0
Sébastien Riccio Replied
Michael,

Is one of these domains you've regenerated DKIM keys for signing correctly when sending mail from SMTP ?

I tried on two different domains. They sign correctly from webmail but not when using SMTP from a mail client.

Kind regards.
Sébastien Riccio
System & Network Admin

0
Michael Replied
Sébastien,

I've done some more testing...
Webmail = success
MAPI = success

But... you're right! I just tested an IMAP account sending outbound over SMTP. That account SMTP out *DOES NOT* sign properly. Gmail reports the DKIM has FAILED. Gamil says " dkim=fail"

and... EAS is also failing.
Regenerating the keys allows signing to happen again, but it is not signing properly over SMTP or EAS.

SMTP = fail
EAS = fail

I believe that this matches your experience as well.

Seems like we have a problem. I've pinged back on a DKIM ticket I have open.

sad face.
2
Zach Sylvester Replied
Employee Post
Hello,

We have escalated this issue and our developers are working hard to get this solved. I will update this thread once it is fixed. 

Regards, 
Zach Sylvester
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Replied
Zach, will we see a hotfix/custom build on this today?
0
Sébastien Riccio Replied
I guess this means "no" :/
Sébastien Riccio
System & Network Admin

2
Kyle Kerst Replied
Employee Post
Development was able to identify an issue in DKIM signing early this morning, and we're working on testing further at this time. If you are experiencing these issues and do not yet have a ticket submitted please do so as we may want to reach out to test further with you. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
echoDreamz Replied
SmarterMail has constantly had issues with DKIM over the years... hopefully we can get it fixed up for good.
2
Kyle Kerst Replied
Employee Post
We have had a couple of rough patches, but, we were just discussing (in support) how bulletproof DKIM has been aside from these issues and our previous iteration of DKIM issues. After the testing we completed on this today though I think we now have it back in that bulletproof state. Obviously though we'll need you to test it to be safe, but I think we're headed in the right direction. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Sébastien Riccio Replied
Any news on this one ? Our customers might have their mail rejected due to the signing problem :/
Sébastien Riccio
System & Network Admin

0
Michael Replied
I haven't heard anything back re- custom builds. Maybe this will be in today's production release? Will there be one? Not sure. We haven't heard, but it seems the issue is being worked on.
0
Andrea Rogers Replied
Employee Post
Hi all, 

We certainly understand the importance of resolving this issue and are actively working on providing a fix as soon as possible. When it has been resolved and has been thoroughly tested, we'll be sending out a release. We'll keep you posted here and in any related tickets as this progresses. 

Kind regards,

Andrea Rogers
SmarterTools Inc.
877-357-6278

www.smartertools.com

1
Sébastien Riccio Replied
Hello Andrea,

Don't hesitate to ping me if you have a custom build for testing the DKIM issue fix.
We really hope a hotfix for this can be installed before the weekend. It is a major issue as DKIM is enabled for all our customers domains.

Kind regards.
Sébastien Riccio
System & Network Admin

1
Andrea Rogers Replied
Employee Post
Hi everyone, 

SmarterMail Build 7817 has been released and resolves the outgoing DKIM failures. Please upgrade your servers to resolve this issue.

Andrea Rogers
SmarterTools Inc.
877-357-6278

www.smartertools.com

0
Michael Replied
WOW! Awesome. Many thanks. Ok we'll give it a shot tonight.
0
Michael Replied
That page shows a 404 error.
0
echoDreamz Replied
Same... maybe it was pulled or just wrong link?
0
Sébastien Riccio Replied
Received an update to our corresponding ticket and also goes 404 huh
Sébastien Riccio
System & Network Admin

1
Sébastien Riccio Replied
Hey,

I've checked previous download links pattern and it seems there is a bogus extra 0 in the latest download link.

Removing it allowed me to download

https://downloads.smartertools.com/smartermail/100.0.7817/SmarterMail_7817.exe
This corrected download is postcardware. If you feel it, you can send me a postcard from your country :)
Sébastien Riccio
System & Network Admin

2
Sébastien Riccio Replied
A little update.

After playing hide and seek with the download link, I've installed the update and did some tests.

The signing is now working (at least for my test domain) from Webmail, EWS, MAPI, IMAP, EAS.
I tried this with an existing key and then also with new generated keys on the same domain.

It seems we're back on tracks with DKIM and thanks a lot for it.

Kind regards.
Sébastien Riccio
System & Network Admin

0
Thomas Lange Replied
Sébastian: yeah - the one zero must be removed :-) I just read and commented at another post with the solution -  and just noticed your comments here as similar issue with download and same solution as I figured out.

Hopefully ST will correct the link - but Friday´s is there official "no-business-hours/extra free day"
1
Ed Welch Replied
DKIM definitely is working again on 7817.  

There are various DKIM test sites that basically only check DNS configuration - this one verifies a test email sent to them:



Reply to Thread