CODEWITHSUNDEEP
dkim
user884248
user884248

Reputation: 2244

DKIM signatures: headaches and problems galore

I'm trying to apply DKIM signatures to newsletters (mailing lists) sent out of our domain. Unfortunately I cannot reveal the name of the domain here, so I will refer to it as {mydomain}.co.il. My selector is "mta1".

I followed online instructions to a tee, but when testing the results I received errors in every aspect of the signature!

I created the public and private key using http://www.port25.com/support/domainkeysdkim-wizard/. I copied the entire private key into a .pem file, including the lines 

-----BEGIN RSA PRIVATE KEY-----
MIICX...{rest of private key goes here}
-----END RSA PRIVATE KEY-----

I setup hMailServer to use DKIM signatures on our domain, pointed it to the private key, and told it to use SHA1 (which I understand is less CPU intensive and more suited to mass mailing lists).

And of course I setup and DNS records like this:

mta1._domainkey.{mydomain}.co.il = 
v=DKIM1; k=rsa; h=sha1; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCptw7j4dessLrTmSKC1rg3yyB5
Vql0U+lzVoWXSHKB8f6ly7jgVze4Xp6V9U7OgcT/DRm421pUwcNgjO85yevxvISM
V64wAgfus6sCZI/eL8owRXpclbq89ap59TW75V5I9iDcCqKxpKoqjiuDP2pQwUbB
KphAb+vd8asNX8GRCQIDAQAB

_domainkey.{mydomain}.co.il = 
t=y;o=~;

First, I checked the DNS record with http://dkimcore.org/tools/dkimrecordcheck.html, and got the following silliness: 

p=  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtjJF/34Z3g5bk/qP7cf0UxSNj 5nAodXgCQ7c0CJq1fIyY3QWl4l4LnYNJ11yIsCB13eQbAzx6gQOiLg0getR17D5i GMmK5EIp5kGn6PC3afjiaXlwS6geM59BINxXAwn6/GTwhdS0i0lnJ7bJePbrC7+E Xn9pxfXr1q79n3RCuwIDAQAB
The p= field must be base64 encoded

...but this is an EXACT copy of the public key generated by port25.com!

Next, I tested my actual DKIM signature, which looks like this:

dkim-signature: v=1; a=rsa-sha1; d={mydomain}.co.il; s=mta1;
    c=relaxed/relaxed; q=dns/txt; h=From:Reply-To:Subject:Date:Message-ID:To:MIME-Version:Content-Type:List-Help:List-Unsubscribe:List-Post:List-Owner:List-Archive;
    bh=MrAZfkhgb6I02eyuqIKMb+Zg1L0=;
    b=GmncisEWZjOhQfnnEzZNTAbOvqo+7JJSU52tbpA103Alw5jTIy3UF4L6xWpajQjP4P76UyByOcS8cAr9i8VIBxr/qrArqwYpOfd9teQ0Adx58Ywn03dsNWDs+succQSZ3EkrQJFf7cQFdbakEHzrzEAYJYLQaoSx3KbitFf2Kjc=

I tested our DKIM-signed emails with http://www.appmaildev.com/en/dkim/ and got the following errors:

Exception: No records found for given DNS query

...but this is not true!

I also got the following error: 

============================================================
DKIM result: fail (wrong body hash: MrAZfkhgb6I02eyuqIKMb+Zg1L0=)
============================================================
Signed by: office@{mydomain}.co.il
Expected Body Hash: hr++FhCjnb1cH9c0FJGJsCnCgNA=

What am I doing wrong? Does anyone know what I can do to fix this?

Upvotes: 2

Views: 6852

Answers (1)

jimfenton
jimfenton

Reputation: 46

The first thing I notice is that in your DNS record there seems to be whitespace (a line break or something) inside your p= value. You should concatenate the multiple lines of base64 text together into one long line with no whitespace when constructing your key record.

The s= (service type) and h= (hash algorithm) tags in the key record are not commonly used. If something is rejecting the record, you might want to retest after fixing the p= value by at least temporarily removing those to see if that might be the problem.

You didn't mention what software is generating the signature. The body hash problem could be due to a canonicalization problem (maybe try setting 'strict'), or something mangling the message (signature or legal disclaimer?) after the message is signed. There is also an obscure effect that some mailers will add a > before the word "From" if it appears at the beginning of a line, which will also break the body hash.

Upvotes: 2

Related Questions