DKIM failure troubleshooting

Unanswered Question
Feb 5th, 2009

I just created a DKIM content filter looking for HARDFAILs. Am I diagnosing the enclosed headers properly?

It seems like a properly signed gmail message is getting hosed as it makes its way to us via a mailing list processor.


Received-SPF: None identity=mailfrom; client-ip=66.158.92.124;
receiver=ironportpriv.merrimack.edu;
envelope-from="[email protected]";
x-sender="[email protected]";
x-conformance=spf_only
Received-SPF: None identity=helo; client-ip=66.158.92.124;
receiver=ironportpriv.merrimack.edu;
envelope-from="[email protected]";
x-sender="[email protected]";
x-conformance=spf_only
Authentication-Results: ironportpriv.merrimack.edu; dkim=hardfail (body hash did not verify [final]) [email protected]
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqgBAHvzhklCnlx8kWdsb2JhbACCQTCQFWE/AQEBAQkLCgcRBapRMAEJhECIQgEDAQECgl6BMwaDbg
X-IronPort-AV: E=Sophos;i="4.37,367,1231131600";
d="scan'208";a="3535121"
Received: from ala3.ala.org ([66.158.92.124])
by ironportpriv.merrimack.edu with SMTP; 02 Feb 2009 16:24:49 -0500
Received: by ala3.ala.org (Postfix, from userid 1001)
id 7A5931707FC; Mon, 2 Feb 2009 15:24:44 -0600 (CST)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from ala1.ala.org (ala1.ala.org [66.158.92.66])
by ala3.ala.org (Postfix) with ESMTP id AF284170792
for <ili>; Mon, 2 Feb 2009 11:39:39 -0600 (CST)
Received: from [64.233.170.185] (helo=rn-out-0910.google.com)
by ala1.ala.org with esmtp (Exim 4.62)
(envelope-from <helentlane>)
id 1LU2kl-00086f-GP
for [email protected]; Mon, 02 Feb 2009 11:38:35 -0600
Received: by rn-out-0910.google.com with SMTP id j78so1032268rne.2
for <ili>; Mon, 02 Feb 2009 09:39:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:sender:received:in-reply-to
:references:date:x-google-sender-auth:message-id:subject:from:to
:content-type;
bh=QRuwHgIym/O/SFaD3vvderJkAVRuw/ZUX+YA5U9k37g=;
b=r/iGkvdwzlqvEZw/h6vd3iFAcpRk+k/GX9KRL8jklHyn+TK9aNk8d2BX2JREbxD5yy
1ndFgzC2/GjqmqtDY7IO/Nc59POuhYJtdy9Dxg7v1d6vXLBmd9L5gs9J++px56f7MRlt
QIEEt0ntbwIBWmpLIdoeN2PSAlaSJS/cYMPck=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:sender:in-reply-to:references:date
:x-google-sender-auth:message-id:subject:from:to:content-type;
b=FhC/9Zt3s4tqL5iwSDzXvdJV9dWk5PDBCu0T0oxlxctU7LpbxxzjQC1O1z3Y9Cki/q
tPpu+Jgu/HcRWaFsrndN9o1D4BkF4FBnGwxe3YyYUj4Oqx9y9kYqA0CIIwSeYSP5IWpD
GNuazuyAiiMXw+QkdL61/TUrVNKVCA/ZMMsT8=
MIME-Version: 1.0
Sender: [email protected]
Received: by 10.100.255.9 with SMTP id c9mr212792ani.135.1233596378783; Mon,
02 Feb 2009 09:39:38 -0800 (PST)
In-Reply-To: <7g9s4t>
References: <49836CE0>
<7g9s4t>
Date: Mon, 2 Feb 2009 12:39:38 -0500
X-Google-Sender-Auth: 50851bf88f75c0d0
Message-ID: <119de7590902020939n21a822e2xbf3dc3f8e99fa38>
From: Helen Lane <htl2108>
To: [email protected]
Content-Type: multipart/alternative; boundary=0016368e1e5cf421520461f309ef
Subject: [ili-l] Re: RE: recommended web directories?
Reply-To: [email protected]
X-Loop: [email protected]
X-Sequence: 7162
Errors-to: [email protected]
Precedence: list
X-no-archive: yes
List-Id: <ili>
List-Help: <mailto>
List-Subscribe: <mailto>
List-Unsubscribe: <mailto>
List-Post: <mailto>
List-Owner: <mailto>
List-Archive: <http>

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whardiso Fri, 02/06/2009 - 13:56

Hi,

If the headers of the message changed at all between the gmail server, and the IronPort, then the DKIM hash will be incorrect, and it will fail.

You mentioned a mailing list server, and I can see the list headers in your sample. I assume these were added "in between" gmail and the IronPort, thus causing the DKIM hash to be incorrect.

-whardison

Actions

This Discussion