cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3086
Views
0
Helpful
8
Replies

How-to configure DKIM properly ?

frederic.lens
Level 1
Level 1

Hi there all,

I was wondering if anyone has got DKIM implemented and working ?
So far, all my tests to DKIM verification services fail miserably with an error regarding the headers.

What's the proper way to configure DKIM signing, based on the RFC ?
I was also wondering about the key size... maybe that's my problem (I'm testing with a key-size of 1536...). What are you using out-there ?

As for my parameters, they are as follow :
- Canonicalization : relaxed/relaxed
- Headers to sign : all
- Body length : do not use

Important note (maybe :) ) : my Ironports are behind loadbalancers which modify their IP's... maybe this has an impact ?

Last thing, I've just tried using a Plain Text message, and full body length scanning and it worked (DKIM result : passed). Yet, with the same setting, when I send a test message in HTML, it fails... ? I'm confused now :roll:

Thanks for your feedback !
Frederic

8 Replies 8

jaigill
Cisco Employee
Cisco Employee

What are the DKIM authentication result when sending an HTML message?

frederic.lens
Level 1
Level 1

Hi there,
From check-auth@verifier.port25.com I get :
Result: fail (wrong body hash: expected odi6j1ZNhENu/D3skEIt8zKhvUjdyEGwO//oQmXrFjE=)

From dktest@blackops.org I get :
X-DKIM: Sendmail DKIM Filter v2.5.0.Beta2 medusa.blackops.org m1DAbehp026156
Authentication-Results: medusa.blackops.org; dkim=neutral (verification failed)

The thing I don't get here is that I have set the body length parameter to "Do not use"... ?

BTW, I tested some more with different key length, I setup a new one with 512 bits and setup a new DNS record, all the same. HTML messages fail verification, Text message have no problem.

Cheers,
Fred

jaigill
Cisco Employee
Cisco Employee

"Do not use" tells the DKIM module to not use the “l=” tag to determine body length. The entire message is signed and no changes are allowed. I suspect that something is changing in the body of the HTML message during transit.

Can you set this to "Entire Body" and run another test.

frederic.lens
Level 1
Level 1

Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000

Result when testing in HTML : Failed (wrong body hash)

I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)

Cheers,
Fred

karlyoun
Level 1
Level 1

Hello Fred

You are most likely running into an issue we discovered recently. The problem is with lines that start with a "." (like CSS class selectors).

The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.

Karl Young
Customer Support Engineer
IronPort Systems

Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000

Result when testing in HTML : Failed (wrong body hash)

I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)

Cheers,
Fred

frederic.lens
Level 1
Level 1

Hello Fred
The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.


Hi Karl !
Thanks for the support !
Best regards,
Fred

chhaag
Level 1
Level 1

Today's maintenance release has a fix for this issue. For a complete listing check the release notes on the support portal.

regards

frederic.lens
Level 1
Level 1

great news :)
I'll upgrade my cluster this afternoon and let you know if DKIM signing is working at my place !
Cheers,
Fred

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: