Gmail: DKIM FAILS. How to fight?

K

Kirill Shumilov2016-12-22 17:17:55

postfix

Kirill Shumilov, 2016-12-22 17:17:55

Server with Ubuntu 16.04, sending mail using postfix+dovecot. I sign using opendkim, the essence of the problem is: the DKIM check fails, Gmail still signs some "null domain" error. At the same time, SPF and DMARC pass.
If you send a letter to dkimvalidator.com , then he says that everything goes through and everything is OK.
And I would be sure that this is Gmail stupid, but letters do not reach Mail.ru at all. And I'm sinning on the DKIM curve.
I use Gmail as a web client (I added smtp and pop3 there).
Accordingly, NS records also contain PTR, A and AAAA records, TXT records about SPF (ipv4, ipv6), two DKIM records (default._domainkey and _domainkey), DMARC.
So, here is a snippet of the email header sent to gmail:

Received-SPF: pass (google.com: domain of [email protected] designates 5.63.157.61 as permitted sender) client-ip=5.63.157.61;

And here is almost the same piece of the header sent to dkimvalidator:

And the validator's detailed answer about DKIM:

DKIM Information:

DKIM Signature


Message contains this DKIM Signature:
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.annies.ru 8FD10FEE08F8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=annies.ru;
  s=default; t=1482415404;
  bh=8hh3bXzrPQ5/hTE68jhnxtoWU0+ebnPeWuTZrjnKkqs=;
  h=From:Date:Subject:To:From;
  b=tkkofCQnA+zniM1YDS+A1gyfSqlncIu1Fcsb0OmyrCi6S5c8WR3JMgyCG/PKTe4k6
   ZvwI9PT3tZ//qMec7XXbAqup5CFUXUwB0kNtUcZTQHPv4PZYxC/qyltIiAglDhCFRN
   fcHM150XdOyCgf5DXW3k6yXqWjyc2gj4Ggdl26lk=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          annies.ru
s= Selector:        default
q= Protocol:        
bh=                 8hh3bXzrPQ5/hTE68jhnxtoWU0+ebnPeWuTZrjnKkqs=
h= Signed Headers:  From:Date:Subject:To:From
b= Data:            tkkofCQnA+zniM1YDS+A1gyfSqlncIu1Fcsb0OmyrCi6S5c8WR3JMgyCG/PKTe4k6
   ZvwI9PT3tZ//qMec7XXbAqup5CFUXUwB0kNtUcZTQHPv4PZYxC/qyltIiAglDhCFRN
   fcHM150XdOyCgf5DXW3k6yXqWjyc2gj4Ggdl26lk=
Public Key DNS Lookup


Building DNS Query for default._domainkey.annies.ru
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPCn+vi1/ZOH9QXuFNltOd/jBD0V8iQPijQMC7N1TDp0tAKRi6zcyKGbCV+9dn3MjzSShRaGwjab2Pb3wXZsVwynZgMkycDR43qzVS5TvdppJKotuCRIUlGss4MK6/qhTT/J6YuRFZSO6SEG9TyCTJJ94PYGjKdovU4Iu6vx9rkwIDAQAB
Validating Signature


result = pass
Details:

Just in case, I’ll clarify that the keys were generated using opendkim-genkey, indicated as a domain: annies.ru, and as a selector: default.
Ready to provide any additional information, send a letter wherever you say, etc. :) I will be glad of any help.
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vladimir Dubrovin, 2016-12-22
@z3apa3a

h=From:Date:Subject:To:From
unless you added From to OversignHeaders in opendkim.conf, that means your email had two From: fields, which is not RFC2822/RFC5322 compliant. Most likely, on GMail, the second header was removed during the normalization of the letter, which led to a violation of the DKIM signature.
If you still added From to OversignHeaders, then give the full letter that came to GMail.

K

Kirill Shumilov, 2016-12-22
@brusher

Vladimir Dubrovin , Indeed, OversignHeaders From was registered in opendkim.conf (and by default).
Removed it, h=From:Date:Subject:To:From changed to h=From:Date:Subject:To
But now it doesn’t work to check the correctness, it seems, because of another reason I don’t understand:
Well, at the same time, DMARC is now falling off.
Moreover, the PTR is registered, there is an AAAA record, and both IPs are registered in the SPF:
(dkimvalidator is still happy with everything)

V

VA_ic2b, 2018-11-23
@VA_ic2b

Look at the DKIM key length. Gmail accepts 1024.