1
Can you help me understand?
Question asked by Sabatino - 7/2/2024 at 12:53 AM
Answered
I can not understand.
SPF ok, Dkim Ok, but then dmarc (existing) fail
Reason indicated by the dmarc
reason="signature verification failed" (1024-bit key; unprotected)


But dkim was ok.

Google also reports something like this

Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

1 Reply

Reply to Thread
4
Douglas Foster Replied
Marked As Answer
DMARC can fail even with SPF PASS and DKIM PASS if the domains are not aligned with the FROM address, but I think your problem is something different.

I think it is saying that you used a 1024-bit key which is considered too weak to be trusted, so you need to rekey using a 2048-bit (or higher) key pair.   The signature passes, but some evaluators (apparently Google) say that the signature does not count.   I just checked and RFC 7489 does not specify a required key length, but RFC 8301 says that some evaluators may enforce key length requirements

In this case, DMARC FAIL should only occur if the SPF PASS is for an unaligned domain and the DKIM PASS is rejected because of the weak key.

1024-bit public keys fit in one DNS segment, more complex keys require multiple DNS segments.   If you use Windows DNS server, there is something odd about how the multiple segments need to be entered.   Check the SmarterTools knowledgebase as I think it has been documented there.   For most other DNS, it is usually straightforward.

Reply to Thread