On 9/17/19 7:33 AM, Mikolaj Kucharski wrote:
> On Tue, Sep 17, 2019 at 12:03:34AM +0100, Stuart Henderson wrote:
>>> I used this port and it worked for me. Initially I could not get
>>> DKIM pass with GMail, but with -c relaxed/relaxed Google is now
>>> happy.
>>
>> it's probably worth figuring out what's going on without that setting, but
>> generally relaxed/relaxed is recommended anyway
>>
>> https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
>> https://wordtothewise.com/2018/07/minimal-dmarc/
>
> I'm not sure what was the problem, as when took the same emails as raw
> mbox file and tested it with:
>
> - https://www.appmaildev.com/en/dkim
> - dkimverify.pl from p5-Mail-DKIM-0.54
> - dkimverify from dkimpy 0.9.3
>
> they all reported as DKIM pass. My emails were plain text, sent via Mutt
> with only few random characters in the email body.
>
tl;dr: Can you give this one a try?
So this took me way longer than I'd like considering the reason.
First of, I tested the following platforms without issues:
- office365
- yahoo
- yandex
- p5-DKIM
- manual (yes, you can do it manually with openssl(1)).
The reason google failed is because my header was named DKIM-signature
instead of DKIM-Signature (note the capital S). Headers are case
insensitive and this is also the case with google, since it does
recognize the header (else we wouldn't have the fail-line).
The problem is that google changes the header-name back to
DKIM-Signature before validating, which is in violation with RFC6376
section 3.4.1:
Header fields MUST be presented to the signing or verification algorithm
exactly as they are in the message being signed or verified.
If anyone has a line to the google devs, please let them know.
martijn@
No comments:
Post a Comment