Possible DKIM issue since build 7719

Problem reported by Sébastien Riccio - 5/5/2021 at 4:01 AM

Resolved

Hello,

We have DKIM signatures enabled for a lot of domains. Most of them works correctly and can be validated without issue.

For example sending a mail to check-auth@verifier.port25.com validates the DKIM signing successfully.

However some customers recently reported that their DKIM signing is failing.

After some investigation I've noticed that old untouched signatures are working correctly. But for the recently enabled DKIM signing, the test fails.

To confirm this I've checked with my test domain this morning that DKIM was correctly working and it was.

Then disabled DKIM and re-enabled it (so it regenerated the keys).

Now the tests are failing for this domain and I'm not able to get it back to a working state.

Parsing the changelogs backwards I can find this in build 7719:

Changed: Generate/validate DKIM signatures now using message bytes rather than text. (Fixes potential encoding issues).

I wonder if that's the cause and would explain why previously created DKIM signatures are working and any new are failing.

Anyone else noticed an issue with (newly created) DKIM signatures post 7719 update ?

Kind regards.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

34 Replies

Reply to Thread

Sébastien Riccio Replied

5/5/2021 at 11:42 AM

Update:

It doesn't seems to be related to a particular version.

With deeper troubleshooting I noticed that restarting SmarterMail make it signs with the correct DKIM key.

Then if I change the key for a domain again, it will fail signing until I reload the domain.

For me it looks like when you change the DKIM key for a domain that already uses DKIM it keeps somewhere in cache the old key and continue signing with it untill SM is reloaded or at least the domain...

Can maybe someone at ST confirm that it could be the issue ?

Kind regards.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Kyle Kerst Replied

5/5/2021 at 2:18 PM

Employee Post

Thanks for your follow-up on this Sébastien, I am working on getting a test set up on this now and will update you here and on your support ticket when complete.

Kyle Kerst

Technical Support Specialist

SmarterTools Inc.

(877) 357-6278

www.smartertools.com

Michael Replied

5/22/2021 at 10:08 AM

After updating to Build 7810 (May 20, 2021), the sever has stopped DKIM singing on all domains that had it on. Setting appears on. Simply the server is not signing on outbound.

Others seeing this?

Sébastien Riccio Replied

5/22/2021 at 12:51 PM

Hello Michael,

We're running build 7810 and had no report (yet) of DKIM issues. I've checked if it was still working for 3 different domains by sending a mail to check-auth@verifier.port25.com and they all returned "pass" for DKIM.

What results do you get if you try this from one of your domains ?

Kind regards

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Michael Replied

5/22/2021 at 8:18 PM

It just doesn't sign DKIM. As if it is not enabled. I deleted and re-added for one domain (updating the DNS as well) and that domain is now signing. So it seems we'll need to delete/re-add for all? These domains haven't had their DKIM keys edited in quite some time. So maybe something added in newer versions need to delete and re-add (and now it's being enforced in 7810??)

Sébastien Riccio Replied

5/22/2021 at 8:57 PM

That is strange.

The tests I did was on domains with existing keys and I didn't have to re-add them. I did not test all domains we host but only on 3 random domains and it seemd ok.

In all cases this shouldn't happen. The need to disable/readd keys would be a catastrophic issue with multiple thousands of domains.

Maybe you should keep a bogus domain and open a ticket so they can review why this is happening.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

echoDreamz Replied

5/22/2021 at 10:27 PM

Same here, we have quite a few users reporting DKIM problems. No changes have been made to any of these domains DNS and have worked in the past. This is a new issue.

All will the same result -

DKIM-Result: fail (bad signature)

Sébastien Riccio Replied

5/22/2021 at 10:37 PM

Great... So there was a DKIM issue fixed in latest build but it created a new one :(

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Chris Replied

5/22/2021 at 11:56 PM

Hello,

I updated today to 7810 and i also have the issue that DKIM is no more valid :(

Regards.

Sébastien Riccio Replied

5/23/2021 at 5:34 AM

I was able to have it also fail. The initial tests I did were from the webmail, and it passes.

But sending from the same account with a mail client + SMTP it fails ... :(

Can anyone confirm it also pass when using the webmail but fails through SMTP ?

EDIT: Also fails when using EWS from emClient At this point I would say it only works from Webmail.

EDIT2: Also works from MAPI.

To summarize DKIM signing in 7810

From webmail: Pass

From MAPI: Pass

From SMTP: Fail

From EWS: Fail

From EAS: TBD

Sébastien Riccio

System & Network Admin

https://swisscenter.com

echoDreamz Replied

5/23/2021 at 6:37 AM

Ours fails across all protocols for the domains I tested. Opened a ticket for this.

Sébastien Riccio Replied

5/23/2021 at 7:48 AM

I did a few more tests removing the keys and creating new ones for a domain.

The result is the same with the new key (before and after a domain reload, same resuls):

Sent via:

Webmail: pass

MAPI: pass (Outlook 2019)

SMTP: fail (thunderbird)

EWS: fail (emClien)

EAS: fail (Android native app)

What a mess. I've updated our existing ticket about DKIM issues with the results.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Michael Replied

5/23/2021 at 10:12 AM

For us- When MAPI wasn't signing webmail also wasn't signing.

To urgently fix we deleted and re-added keys.

Deleted the DKIM keys by changing a setting, then changing back. Re-enabled.

SM generated a new keypair. Added the public key to DNS. Enabled DKIM (it verified the public key was published).

Now domains are resigning again.

We did this on 5 domains.

I imagine a hotfix is needed. If someone is hosing hundreds or thousands of domains this would be a big point of pain.

Sébastien Riccio Replied

5/23/2021 at 12:46 PM

Michael,

Is one of these domains you've regenerated DKIM keys for signing correctly when sending mail from SMTP ?

I tried on two different domains. They sign correctly from webmail but not when using SMTP from a mail client.

Kind regards.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Michael Replied

5/23/2021 at 1:22 PM

Sébastien,

I've done some more testing...

Webmail = success

MAPI = success

But... you're right! I just tested an IMAP account sending outbound over SMTP. That account SMTP out *DOES NOT* sign properly. Gmail reports the DKIM has FAILED. Gamil says " dkim=fail"

and... EAS is also failing.

Regenerating the keys allows signing to happen again, but it is not signing properly over SMTP or EAS.

SMTP = fail

EAS = fail

I believe that this matches your experience as well.

Seems like we have a problem. I've pinged back on a DKIM ticket I have open.

sad face.

Zach Sylvester Replied

5/24/2021 at 10:25 AM

Employee Post

Hello,

We have escalated this issue and our developers are working hard to get this solved. I will update this thread once it is fixed.

Regards,

Zach Sylvester

Technical Support Specialist

SmarterTools Inc.

(877) 357-6278

www.smartertools.com

Michael Replied

5/24/2021 at 2:37 PM

Zach, will we see a hotfix/custom build on this today?

Sébastien Riccio Replied

5/24/2021 at 9:41 PM

I guess this means "no" :/

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Kyle Kerst Replied

5/25/2021 at 10:00 AM

Employee Post

Development was able to identify an issue in DKIM signing early this morning, and we're working on testing further at this time. If you are experiencing these issues and do not yet have a ticket submitted please do so as we may want to reach out to test further with you.

Kyle Kerst

Technical Support Specialist

SmarterTools Inc.

(877) 357-6278

www.smartertools.com

echoDreamz Replied

5/25/2021 at 2:33 PM

SmarterMail has constantly had issues with DKIM over the years... hopefully we can get it fixed up for good.

Kyle Kerst Replied

5/25/2021 at 3:08 PM

Employee Post

We have had a couple of rough patches, but, we were just discussing (in support) how bulletproof DKIM has been aside from these issues and our previous iteration of DKIM issues. After the testing we completed on this today though I think we now have it back in that bulletproof state. Obviously though we'll need you to test it to be safe, but I think we're headed in the right direction.

Kyle Kerst

Technical Support Specialist

SmarterTools Inc.

(877) 357-6278

www.smartertools.com

Sébastien Riccio Replied

5/26/2021 at 9:21 AM

Any news on this one ? Our customers might have their mail rejected due to the signing problem :/

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Michael Replied

5/27/2021 at 7:48 AM

I haven't heard anything back re- custom builds. Maybe this will be in today's production release? Will there be one? Not sure. We haven't heard, but it seems the issue is being worked on.

Andrea Free Replied

5/27/2021 at 8:52 AM

Employee Post

Hi all,

We certainly understand the importance of resolving this issue and are actively working on providing a fix as soon as possible. When it has been resolved and has been thoroughly tested, we'll be sending out a release. We'll keep you posted here and in any related tickets as this progresses.

Kind regards,

Andrea Free
SmarterTools Inc.
877-357-6278
www.smartertools.com

Sébastien Riccio Replied

5/27/2021 at 12:19 PM

Hello Andrea,

Don't hesitate to ping me if you have a custom build for testing the DKIM issue fix.
We really hope a hotfix for this can be installed before the weekend. It is a major issue as DKIM is enabled for all our customers domains.

Kind regards.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Andrea Free Replied

5/27/2021 at 6:11 PM

Employee Post

Hi everyone,

SmarterMail Build 7817 has been released and resolves the outgoing DKIM failures. Please upgrade your servers to resolve this issue.

https://www.smartertools.com/smartermail/downloads

Kind regards,

Andrea Free
SmarterTools Inc.
877-357-6278
www.smartertools.com

Michael Replied

5/27/2021 at 6:15 PM

WOW! Awesome. Many thanks. Ok we'll give it a shot tonight.

Michael Replied

5/27/2021 at 7:15 PM

Trying to download. Link takes me to https://downloads.smartertools.com/smartermail/100.0.07817/SmarterMail_7817.exe

That page shows a 404 error.

echoDreamz Replied

5/27/2021 at 7:42 PM

Same... maybe it was pulled or just wrong link?

Sébastien Riccio Replied

5/27/2021 at 9:20 PM

Received an update to our corresponding ticket and also goes 404 huh

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Sébastien Riccio Replied

5/27/2021 at 9:26 PM

Hey,

I've checked previous download links pattern and it seems there is a bogus extra 0 in the latest download link.

Removing it allowed me to download

https://downloads.smartertools.com/smartermail/100.0.7817/SmarterMail_7817.exe

This corrected download is postcardware. If you feel it, you can send me a postcard from your country :)

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Sébastien Riccio Replied

5/27/2021 at 10:08 PM

A little update.

After playing hide and seek with the download link, I've installed the update and did some tests.

The signing is now working (at least for my test domain) from Webmail, EWS, MAPI, IMAP, EAS.

I tried this with an existing key and then also with new generated keys on the same domain.

It seems we're back on tracks with DKIM and thanks a lot for it.

Kind regards.

Sébastien Riccio

System & Network Admin

https://swisscenter.com

Thomas Lange Replied

5/27/2021 at 10:16 PM

Sébastian: yeah - the one zero must be removed :-) I just read and commented at another post with the solution - and just noticed your comments here as similar issue with download and same solution as I figured out.

Hopefully ST will correct the link - but Friday´s is there official "no-business-hours/extra free day"

Ed Welch Replied

5/28/2021 at 7:57 AM

DKIM definitely is working again on 7817.

There are various DKIM test sites that basically only check DNS configuration - this one verifies a test email sent to them:

https://www.appmaildev.com/

Back to Community Threads

Please leave this box unchecked