How-to configure DKIM properly ?

Unanswered Question
Feb 12th, 2008

Hi there all,

I was wondering if anyone has got DKIM implemented and working ?
So far, all my tests to DKIM verification services fail miserably with an error regarding the headers.

What's the proper way to configure DKIM signing, based on the RFC ?
I was also wondering about the key size... maybe that's my problem (I'm testing with a key-size of 1536...). What are you using out-there ?

As for my parameters, they are as follow :
- Canonicalization : relaxed/relaxed
- Headers to sign : all
- Body length : do not use

Important note (maybe :) ) : my Ironports are behind loadbalancers which modify their IP's... maybe this has an impact ?

Last thing, I've just tried using a Plain Text message, and full body length scanning and it worked (DKIM result : passed). Yet, with the same setting, when I send a test message in HTML, it fails... ? I'm confused now :roll:

Thanks for your feedback !
Frederic

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jaigill Tue, 02/12/2008 - 17:38

What are the DKIM authentication result when sending an HTML message?

frederic.lens Wed, 02/13/2008 - 10:49

Hi there,
From [email protected] I get :
Result: fail (wrong body hash: expected odi6j1ZNhENu/D3skEIt8zKhvUjdyEGwO//oQmXrFjE=)

From [email protected] I get :
X-DKIM: Sendmail DKIM Filter v2.5.0.Beta2 medusa.blackops.org m1DAbehp026156
Authentication-Results: medusa.blackops.org; dkim=neutral (verification failed)

The thing I don't get here is that I have set the body length parameter to "Do not use"... ?

BTW, I tested some more with different key length, I setup a new one with 512 bits and setup a new DNS record, all the same. HTML messages fail verification, Text message have no problem.

Cheers,
Fred

jaigill Wed, 02/13/2008 - 18:52

"Do not use" tells the DKIM module to not use the “l=” tag to determine body length. The entire message is signed and no changes are allowed. I suspect that something is changing in the body of the HTML message during transit.

Can you set this to "Entire Body" and run another test.

frederic.lens Thu, 02/14/2008 - 08:40

Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000

Result when testing in HTML : Failed (wrong body hash)

I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)

Cheers,
Fred

karlyoun Fri, 02/15/2008 - 18:08

Hello Fred

You are most likely running into an issue we discovered recently. The problem is with lines that start with a "." (like CSS class selectors).

The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.

Karl Young
Customer Support Engineer
IronPort Systems

Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000

Result when testing in HTML : Failed (wrong body hash)

I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)

Cheers,
Fred
frederic.lens Mon, 02/18/2008 - 08:30

Hello Fred
The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.


Hi Karl !
Thanks for the support !
Best regards,
Fred
chhaag Wed, 02/27/2008 - 01:30

Today's maintenance release has a fix for this issue. For a complete listing check the release notes on the support portal.

regards

frederic.lens Wed, 02/27/2008 - 11:00

great news :)
I'll upgrade my cluster this afternoon and let you know if DKIM signing is working at my place !
Cheers,
Fred

Actions

This Discussion