DKIM failure troubleshooting

rand.hall · ‎02-05-2009

I just created a DKIM content filter looking for HARDFAILs. Am I diagnosing the enclosed headers properly?

It seems like a properly signed gmail message is getting hosed as it makes its way to us via a mailing list processor.

Received-SPF: None identity=mailfrom; client-ip=66.158.92.124;
receiver=ironportpriv.merrimack.edu;
envelope-from="ili-l-owner@ala.org";
x-sender="ili-l-owner@ala.org";
x-conformance=spf_only
Received-SPF: None identity=helo; client-ip=66.158.92.124;
receiver=ironportpriv.merrimack.edu;
envelope-from="ili-l-owner@ala.org";
x-sender="postmaster@ala3.ala.org";
x-conformance=spf_only
Authentication-Results: ironportpriv.merrimack.edu; dkim=hardfail (body hash did not verify [final]) header.i=@gmail.com
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqgBAHvzhklCnlx8kWdsb2JhbACCQTCQFWE/AQEBAQkLCgcRBapRMAEJhECIQgEDAQECgl6BMwaDbg
X-IronPort-AV: E=Sophos;i="4.37,367,1231131600";
d="scan'208";a="3535121"
Received: from ala3.ala.org ([66.158.92.124])
by ironportpriv.merrimack.edu with SMTP; 02 Feb 2009 16:24:49 -0500
Received: by ala3.ala.org (Postfix, from userid 1001)
id 7A5931707FC; Mon, 2 Feb 2009 15:24:44 -0600 (CST)
X-Original-To: ili-l@ala.org
Delivered-To: ili-l@ala3.ala.org
Received: from ala1.ala.org (ala1.ala.org [66.158.92.66])
by ala3.ala.org (Postfix) with ESMTP id AF284170792
for <ili>; Mon, 2 Feb 2009 11:39:39 -0600 (CST)
Received: from [64.233.170.185] (helo=rn-out-0910.google.com)
by ala1.ala.org with esmtp (Exim 4.62)
(envelope-from <helentlane>)
id 1LU2kl-00086f-GP
for ili-l@ala.org; Mon, 02 Feb 2009 11:38:35 -0600
Received: by rn-out-0910.google.com with SMTP id j78so1032268rne.2
for <ili>; Mon, 02 Feb 2009 09:39:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:sender:received:in-reply-to
:references:date:x-google-sender-auth:message-id:subject:from:to
:content-type;
bh=QRuwHgIym/O/SFaD3vvderJkAVRuw/ZUX+YA5U9k37g=;
b=r/iGkvdwzlqvEZw/h6vd3iFAcpRk+k/GX9KRL8jklHyn+TK9aNk8d2BX2JREbxD5yy
1ndFgzC2/GjqmqtDY7IO/Nc59POuhYJtdy9Dxg7v1d6vXLBmd9L5gs9J++px56f7MRlt
QIEEt0ntbwIBWmpLIdoeN2PSAlaSJS/cYMPck=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:sender:in-reply-to:references:date
:x-google-sender-auth:message-id:subject:from:to:content-type;
b=FhC/9Zt3s4tqL5iwSDzXvdJV9dWk5PDBCu0T0oxlxctU7LpbxxzjQC1O1z3Y9Cki/q
tPpu+Jgu/HcRWaFsrndN9o1D4BkF4FBnGwxe3YyYUj4Oqx9y9kYqA0CIIwSeYSP5IWpD
GNuazuyAiiMXw+QkdL61/TUrVNKVCA/ZMMsT8=
MIME-Version: 1.0
Sender: helentlane@gmail.com
Received: by 10.100.255.9 with SMTP id c9mr212792ani.135.1233596378783; Mon,
02 Feb 2009 09:39:38 -0800 (PST)
In-Reply-To: <7g9s4t>
References: <49836CE0>
<7g9s4t>
Date: Mon, 2 Feb 2009 12:39:38 -0500
X-Google-Sender-Auth: 50851bf88f75c0d0
Message-ID: <119de7590902020939n21a822e2xbf3dc3f8e99fa38>
From: Helen Lane <htl2108>
To: ili-l@ala.org
Content-Type: multipart/alternative; boundary=0016368e1e5cf421520461f309ef
Subject: [ili-l] Re: RE: recommended web directories?
Reply-To: ili-l@ala.org
X-Loop: ili-l@ala.org
X-Sequence: 7162
Errors-to: ili-l-owner@ala.org
Precedence: list
X-no-archive: yes
List-Id: <ili>
List-Help: <mailto>
List-Subscribe: <mailto>
List-Unsubscribe: <mailto>
List-Post: <mailto>
List-Owner: <mailto>
List-Archive: <http>

Douglas Hardison · ‎02-06-2009

Hi,

If the headers of the message changed at all between the gmail server, and the IronPort, then the DKIM hash will be incorrect, and it will fail.

You mentioned a mailing list server, and I can see the list headers in your sample. I assume these were added "in between" gmail and the IronPort, thus causing the DKIM hash to be incorrect.

-whardison