5
DKIM Keys Corrupted in Build 8125
Problem reported by Scarab - 6/30/2022 at 2:34 PM
Resolved
Just now discovered 48 domains out of 260 that had their DKIM keys corrupted during our April Monthly Maintenance window when we upgraded to Build 8125 (from Build 8097). The keys were truncated after the the mechanisms "v=DKIM1; k=rsa; h=sha256;". It seems to have occurred when the "h=sha256" mechanism was added to the DKIM key in SmarterMail.

After fixing all the affected domains by deleting the DKIM key and having SmarterMail generate a new key to be updated in DNS I discovered the commonality. Those domains affected had their DKIM keys generated in SmarterMail long ago prior to the addition of the "v=DKIM1;" mechanism (they all started with the mechanism "k=rsa;"...would that be the pre-v14 days?). Apparently the upgrade script to insert the new "h=sha256;" mechanism would silently fail on a domain if the string began with anything other than what the upgrade script expected. It seems to have taken the first 15 characters of the string (str.Substring(0,15);), appended a space+h=sha256;+space regardless of what the string actually started with, resulting in the p= string being truncated because there was previously no v=DKIM1; to pad the first 15 characters of the string.

For example, the old key prior to upgrading began as follows:
k=rsa; p=MIIBIjANBgk...

The key would be upgraded to:
v=DKIM1; k=rsa; h=sha256; ANBgk...
(notice the p=MIIBIj is missing)

Upon validation the key would be truncated as follows:
v=DKIM1; k=rsa; h=sha256;

7 Replies

Reply to Thread
0
Zach Sylvester Replied
Employee Post
Hello Scarab, 

Thank you for reaching out to the community. That is actually really interesting. Maybe I can replicate this bug now. 
I will let you know when we get back into the office on Tuesday. 

Kind Regards, 

Zach Sylvester

System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Chris Daley Replied
I doubt the developers would use substring or append on this. As a DKIM record has a clearly defined structure (key-tag) you would just parse this into a class then have a simple ToString() override that outputs in the desired format. This would make altering an individual element far easier.

We are still running 8055 as its more stable for our workload
0
Dave Hunter Replied
We've also noticed this but are on Build 8251. In our case all domains also look like older ones missing the new h=sha256 parameter but all of them had a custom name as well which is what we thought was causing the problem. It's automatically generated now but back then we manually entered our dkim text record name such as "customname._domainKey". Are all of those deleted now?
0
Tim Uzzanti Replied
Employee Post
This is an issue that we have been trying to track down for a little while.  It is VERY random but we believe we have it resolved in the BETA.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Dave Hunter Replied
Happy to provide any extra info if desired! In my situation it seems to be consistently all the domains that had a custom text name instead of an auto generated one so possible it's a bit different than Scarab's unless they also had custom dkim names.
1
Richard Frank Replied
Hello,
Still on latest version of SM .. having domains with DKIM problems.
can't the fix for beta be appied to the current version?
Customers of mine randomly complain their mail isn't delivered.
Seems to me an really important problem.
I have customers going away because of this :-(
1
Richard Frank Replied
v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQOkgDrvk6omjk913ALpXhfqMPKn6wLSybrV9APVlPEZHDEptqz0eC9NL0HrkMu8Zq78wRxuO+k0Fboei7TeUqKUf5+YE08RSFbx8QMb93jNim5ITIBsHRUMHH4a6Wk9rm0bloN8IZiLMK32IBq0ml6LHPQ6VwDeu2GWm2ZQ0m4RgvCKcYoK1dRFF6rYMn1g6LmgDQDRZ/ur8ezN9DchKd1jk6tiJXAulGYhGyi7UvEv8oLU2ducxGDCX3Ro5do3sSWw03nkzJfLFOBNiaUZ4P8Xy4wOTp+dZ4G3gM0s1pR2URJdfpYFq7mEj7RlK36EDYweCUvNtnjLcQtOn2ZOhwIDAQAB

Dkim Signature:
v=1; a=rsa-sha256; d=activecare.nl; s=8DA4FD37C632EB7; c=simple/simple; t=1671201351; h=from:to:date:reply-to:message-id:mime-version; bh=IrUsLsL9/KZR8n+idHJXmvtHedCnYVZi4+S/QHGxnS8=; b=ROQ8wgKn4y0gOh0btob0eevgjCjfE/ZzBAoO8H7l0xwg3DJIRc9lB1rvMEEfLQFhs9FJaYX4PGq eGLSQ4ZDfMb/IZpIQ6EPuq0SR/ug+dW9BAA1dQX53pfSLW+BS5qAUY7Cstccf/v+ocb4SgzcbHORc 2R4YXWufUsMD2eDUOvdfG0tiAsiQBcaYTyl9gRPiKBQXgXyPuoIeF9cFMU8hsmHfA7ZV/3Qr7hNDQ 4DxS4RAXtV+zQ/Z6s1HcpV887QyUrczz7TBtdItLPZSPpBiXF9WNYLWTy/4s1XRAwNtj8PFuYq2Go 0FnRTYTyjsvq2do5rUcDYqG083DehhHbb4IA==
is there something I can change to prevent this?

Reply to Thread