Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How-to configure DKIM properly ?

Hi there all,

I was wondering if anyone has got DKIM implemented and working ?
So far, all my tests to DKIM verification services fail miserably with an error regarding the headers.

What's the proper way to configure DKIM signing, based on the RFC ?
I was also wondering about the key size... maybe that's my problem (I'm testing with a key-size of 1536...). What are you using out-there ?

As for my parameters, they are as follow :
- Canonicalization : relaxed/relaxed
- Headers to sign : all
- Body length : do not use

Important note (maybe :) ) : my Ironports are behind loadbalancers which modify their IP's... maybe this has an impact ?

Last thing, I've just tried using a Plain Text message, and full body length scanning and it worked (DKIM result : passed). Yet, with the same setting, when I send a test message in HTML, it fails... ? I'm confused now :roll:

Thanks for your feedback !
Frederic

8 REPLIES
Cisco Employee

Re: How-to configure DKIM properly ?

What are the DKIM authentication result when sending an HTML message?

New Member

Re: How-to configure DKIM properly ?

Hi there,
From check-auth@verifier.port25.com I get :
Result: fail (wrong body hash: expected odi6j1ZNhENu/D3skEIt8zKhvUjdyEGwO//oQmXrFjE=)

From dktest@blackops.org I get :
X-DKIM: Sendmail DKIM Filter v2.5.0.Beta2 medusa.blackops.org m1DAbehp026156
Authentication-Results: medusa.blackops.org; dkim=neutral (verification failed)

The thing I don't get here is that I have set the body length parameter to "Do not use"... ?

BTW, I tested some more with different key length, I setup a new one with 512 bits and setup a new DNS record, all the same. HTML messages fail verification, Text message have no problem.

Cheers,
Fred

Cisco Employee

Re: How-to configure DKIM properly ?

"Do not use" tells the DKIM module to not use the “l=” tag to determine body length. The entire message is signed and no changes are allowed. I suspect that something is changing in the body of the HTML message during transit.

Can you set this to "Entire Body" and run another test.

New Member

Re: How-to configure DKIM properly ?

Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000

Result when testing in HTML : Failed (wrong body hash)

I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)

Cheers,
Fred

New Member

Re: How-to configure DKIM properly ?

Hello Fred

You are most likely running into an issue we discovered recently. The problem is with lines that start with a "." (like CSS class selectors).

The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.

Karl Young
Customer Support Engineer
IronPort Systems

Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000

Result when testing in HTML : Failed (wrong body hash)

I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)

Cheers,
Fred

New Member

Re: How-to configure DKIM properly ?

Hello Fred
The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.


Hi Karl !
Thanks for the support !
Best regards,
Fred

New Member

39622 is fixed in maintenance release 5.5.1-014

Today's maintenance release has a fix for this issue. For a complete listing check the release notes on the support portal.

regards

New Member

Re: How-to configure DKIM properly ?

great news :)
I'll upgrade my cluster this afternoon and let you know if DKIM signing is working at my place !
Cheers,
Fred

1124
Views
0
Helpful
8
Replies
CreatePlease to create content