starred/dkim-exchange-Pro
1
0
Fork 0
mirror of https://github.com/Pro/dkim-exchange.git synced 2026-04-25 08:55:52 +03:00
Code Issues 4 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #84] Google DKIM validation #64

New issue
Closed
opened 2026-02-26 10:35:32 +03:00 by kerem · 13 comments
kerem commented 2026-02-26 10:35:32 +03:00
Owner
Copy link

Originally created by @AlwindB on GitHub (Apr 8, 2015).
Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/84

Using the DKIM-Exchange plugin I noticed that on the 2.1.4 install (clean install) on Exchange 2010 (14.3.123.4) that DKIM validation with Google does not detect the presence of a DKIM key (dkim=neutral).

Below the headers:

Received-SPF: pass (google.com: domain of A****.**_@m_.com designates *... as permitted sender) client-ip=...;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of A****_.__@m******.com designates ..._ as permitted sender) smtp.mail=A***.**_@m__.com;
dkim=neutral (no signature) header.i=@m__.com;
dmarc=pass (p=REJECT dis=NONE) header.from=m__.com
dkim-signature: v=1; a=rsa-sha256; s=key20150408; d=m_****.com; c=relaxed/relaxed; q=dns/txt; h=From:content-type:date:from:message-id:mime-version:subject:to; bh=RtiycR1cKu3bB2m/xfdGzGfZlmRfqJR/fADAKgy5ZGQ=; b=JncdPhOjI5pBAgnCDmgqYlQp/yIHYxXbTiupLQbXl5dT3QRQFfQlN3hYCHVsYJ+wKzSX8AQkMoQxok7LtqNqkgccPhE3UKcew4CaHDPIJKqABD4AW4g4tHzgCM2/fyUSW54I5czMD4bVP2ROjFJcdBTrtZD4OJi4q31Xl1CIcFA=;

Whilst using EA DomainKeys the header is being set as:
Received-SPF: pass (google.com: domain of A****.**_@m_.com designates *... as permitted sender) client-ip=...;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of A****_.__@m******.com designates ..._ as permitted sender) smtp.mail=A***.**_@m__.com;
dkim=pass header.i=@m__.com;
dmarc=pass (p=REJECT dis=NONE) header.from=m__.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
s=key20150327; d=m_****.com;
h=from:to:subject📅message-id:content-type:mime-version;
bh=ymeIG2f9WWjRJs8InKjRDD9Lm+54k30ESM3uApkBsvo=;
b=S/o8/DTb7nFLJCLMO3V/XNapSkpghf4oFNs07h54tFkCUqP8/VwvgoeUvn2Fv8qBQoSVuNUA
0z9n/UQuzZ7O/QhDXmMnswramIrdadUZEAsNzyiIKJfh1eDVOtOIluiFi1CqVP23LLjUyhx2
5L3GtckmaO0jalUIAO5RbJypCHg=

Be aware that this is a different private/public keyset.

Currently I cannot explain where the difference comes from, except for my guess that is has something to do with building the headers.

Originally created by @AlwindB on GitHub (Apr 8, 2015). Original GitHub issue: https://github.com/Pro/dkim-exchange/issues/84 Using the DKIM-Exchange plugin I noticed that on the 2.1.4 install (clean install) on Exchange 2010 (14.3.123.4) that DKIM validation with Google does not detect the presence of a DKIM key (dkim=neutral). Below the headers: Received-SPF: pass (google.com: domain of A****_.**_***_@m**_*****_.com designates *._._._ as permitted sender) client-ip=_._._._; Authentication-Results: mx.google.com; spf=pass (google.com: domain of A****_.**_***_@m**_*****_.com designates *._._._ as permitted sender) smtp.mail=A****_.**_***_@m**_*****_.com; dkim=neutral (no signature) header.i=@m**_*****_.com; dmarc=pass (p=REJECT dis=NONE) header.from=m**_*****_.com dkim-signature: v=1; a=rsa-sha256; s=key20150408; d=m**_******.com; c=relaxed/relaxed; q=dns/txt; h=From:content-type:date:from:message-id:mime-version:subject:to; bh=RtiycR1cKu3bB2m/xfdGzGfZlmRfqJR/fADAKgy5ZGQ=; b=JncdPhOjI5pBAgnCDmgqYlQp/yIHYxXbTiupLQbXl5dT3QRQFfQlN3hYCHVsYJ+wKzSX8AQkMoQxok7LtqNqkgccPhE3UKcew4CaHDPIJKqABD4AW4g4tHzgCM2/fyUSW54I5czMD4bVP2ROjFJcdBTrtZD4OJi4q31Xl1CIcFA=; Whilst using EA DomainKeys the header is being set as: Received-SPF: pass (google.com: domain of A****_.**_***_@m**_*****_.com designates *._._._ as permitted sender) client-ip=_._._._; Authentication-Results: mx.google.com; spf=pass (google.com: domain of A****_.**_***_@m**_*****_.com designates *._._._ as permitted sender) smtp.mail=A****_.**_***_@m**_*****_.com; dkim=pass header.i=@m**_*****_.com; dmarc=pass (p=REJECT dis=NONE) header.from=m**_*****_.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=key20150327; d=m**_******.com; h=from:to:subject:date:message-id:content-type:mime-version; bh=ymeIG2f9WWjRJs8InKjRDD9Lm+54k30ESM3uApkBsvo=; b=S/o8/DTb7nFLJCLMO3V/XNapSkpghf4oFNs07h54tFkCUqP8/VwvgoeUvn2Fv8qBQoSVuNUA 0z9n/UQuzZ7O/QhDXmMnswramIrdadUZEAsNzyiIKJfh1eDVOtOIluiFi1CqVP23LLjUyhx2 5L3GtckmaO0jalUIAO5RbJypCHg= Be aware that this is a different private/public keyset. Currently I cannot explain where the difference comes from, except for my guess that is has something to do with building the headers.
kerem closed this issue 2026-02-26 10:35:32 +03:00
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlexLaroche commented on GitHub (Apr 8, 2015):

I did the test on my test server without any error... Could be a configuration problem? You should check your key in your DNS and in the Exchange DKIM Agent configuration?

<!-- gh-comment-id:91052410 --> @AlexLaroche commented on GitHub (Apr 8, 2015): I did the test on my test server without any error... Could be a configuration problem? You should check your key in your DNS and in the Exchange DKIM Agent configuration?
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlexLaroche commented on GitHub (Apr 8, 2015):

You could also try to test your configuration by sending a email to "check-auth@verifier.port25.com".

http://www.port25.com/support/authentication-center/email-verification/

<!-- gh-comment-id:91053218 --> @AlexLaroche commented on GitHub (Apr 8, 2015): You could also try to test your configuration by sending a email to "check-auth@verifier.port25.com". http://www.port25.com/support/authentication-center/email-verification/
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlwindB commented on GitHub (Apr 9, 2015):

Hi Alex,

found out something interesting, when changing the header and body canonicalization, the validation of the DKIM passes or fails. Also the header changes from case sensitive to lowercase.

This all with the same DKIM key, so no changes on that end of the configuration.

See my check below

header/body

simple/simple = pass
header start= DKIM-Signature: v=DKIM1; etc....

simple/relaxed = pass
header start= DKIM-Signature: v=DKIM1; etc....

relaxed/simple = fail
header start= dkim-signature: v=DKIM1; etc....

relaxed/relaxed = fail
header start= dkim-signature: v=DKIM1; etc....

<!-- gh-comment-id:91130645 --> @AlwindB commented on GitHub (Apr 9, 2015): Hi Alex, found out something interesting, when changing the header and body canonicalization, the validation of the DKIM passes or fails. Also the header changes from case sensitive to lowercase. This all with the same DKIM key, so no changes on that end of the configuration. See my check below header/body simple/simple = pass header start= DKIM-Signature: v=DKIM1; etc.... simple/relaxed = pass header start= DKIM-Signature: v=DKIM1; etc.... relaxed/simple = fail header start= dkim-signature: v=DKIM1; etc.... relaxed/relaxed = fail header start= dkim-signature: v=DKIM1; etc....
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@topcats commented on GitHub (Apr 9, 2015):

I am running Exchange 2013 CU8 with the new 2.1.4 and have just tested to the port25.com address

All appears fine for me

SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

<!-- gh-comment-id:91170013 --> @topcats commented on GitHub (Apr 9, 2015): I am running Exchange 2013 CU8 with the new 2.1.4 and have just tested to the port25.com address All appears fine for me SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlwindB commented on GitHub (Apr 9, 2015):

topcats, how is your setup simple/simple or one of the other options

<!-- gh-comment-id:91249468 --> @AlwindB commented on GitHub (Apr 9, 2015): topcats, how is your setup simple/simple or one of the other options
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@topcats commented on GitHub (Apr 9, 2015):

yes running simple/simple rsasha1

<!-- gh-comment-id:91365424 --> @topcats commented on GitHub (Apr 9, 2015): yes running simple/simple rsasha1
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlexLaroche commented on GitHub (Apr 10, 2015):

I did a test yesterday with relaxed/relaxed and simple/simple without any problem... :/

<!-- gh-comment-id:91387216 --> @AlexLaroche commented on GitHub (Apr 10, 2015): I did a test yesterday with relaxed/relaxed and simple/simple without any problem... :/
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlwindB commented on GitHub (Apr 10, 2015):

Regarding DKIM prefered options:
RFC advises sha256 above sha1, sha256 is also the default algorithm when it's not specified.

Some more information, running W2k8 R2 w/Exchange 2010.

When trying to build a native DKIM validation plugin (for DMARC) based on the Transport Agent we noticed that Exchange is altering some message headers. So it might be related to that, have to check up with my collegue.

<!-- gh-comment-id:91456982 --> @AlwindB commented on GitHub (Apr 10, 2015): Regarding DKIM prefered options: RFC advises sha256 above sha1, sha256 is also the default algorithm when it's not specified. Some more information, running W2k8 R2 w/Exchange 2010. When trying to build a native DKIM validation plugin (for DMARC) based on the Transport Agent we noticed that Exchange is altering some message headers. So it might be related to that, have to check up with my collegue.
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@topcats commented on GitHub (Apr 10, 2015):

I had a problem with sha256 when I was inserting the hash into the dns records.
It appeared to truncate the txt record, so I changed to sha1, which works ok

<!-- gh-comment-id:91459163 --> @topcats commented on GitHub (Apr 10, 2015): I had a problem with sha256 when I was inserting the hash into the dns records. It appeared to truncate the txt record, so I changed to sha1, which works ok
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@gogglespisano commented on GitHub (Apr 10, 2015):

If you're using BIND DNS, there is a text length limit, but you can work around it,

"abcdef"
can be written as
"abc" "def"
or
("abc"
"def")

You can split a text value into smaller strings and it will glue it all back together. If you want to spread it out over multiple lines, then surround the value in parenthesis.

<!-- gh-comment-id:91552102 --> @gogglespisano commented on GitHub (Apr 10, 2015): If you're using BIND DNS, there is a text length limit, but you can work around it, "abcdef" can be written as "abc" "def" or ("abc" "def") You can split a text value into smaller strings and it will glue it all back together. If you want to spread it out over multiple lines, then surround the value in parenthesis.
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@topcats commented on GitHub (Apr 13, 2015):

Am using a third party hosted dns web console, i'm stuck with it for now so a shorter key will have to do :(

<!-- gh-comment-id:92330534 --> @topcats commented on GitHub (Apr 13, 2015): Am using a third party hosted dns web console, i'm stuck with it for now so a shorter key will have to do :(
kerem commented 2026-02-26 10:35:33 +03:00
Author
Owner
Copy link

@AlexLaroche commented on GitHub (Apr 13, 2015):

For Windows DNS servers, the long DKIM keys can be broken up into multiple lines when entering the record into the DNS management tool. A single long line will be truncated at 256 characters but multiple lines will be accepted. For example, the following DKIM record would be truncated when entering it into dnsmgmt:

"v=DKIM1; k=rsa; h=sha256 p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLj8Fw4H27vKcm3BVChkxgM2fjHUCQGxrp8jeYgdWRdsF3w5lWKICVawjkISzpQqF7wwgRWMNVAxxCs2opJKHpmTPsdRfRnHuqCdBgEDBUT3717k74qDCoP7TGVgQmB3DWm2vsg/LmaHpAk1OQ9MV5W0WnH3XEaJmtR67OAEuEABdjBX0A3V+5lb1piwpkL7RUyOPkNEyIjSILC4c2Zn7+HaM4CP8hJ8ZEx8bCFhkML4PbiEQZoXuxe5D+DB8mNt6UwzyjfbMZ1CeGEWLZpkcRlBgPx75XIeh9yVyw0bHctaCr43xwnb41KuluCzXD8sLFbYpYDyQThIqUXrGtv48wIDAQAB"

The same record, broken up into multiple lines would be correctly stored and served by the Windows DNS server:

"v=DKIM1; k=rsa; h=sha256
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLj8Fw4H27vKcm3BVChkxgM2fjHUCQGxrp8jeYgdWRdsF3w5lWKICVawjkISzpQqF7wwgRWMNVAxxCs2opJKHpmTPsdRfRn
HuqCdBgEDBUT3717k74qDCoP7TGVgQmB3DWm2vsg/LmaHpAk1OQ9MV5W0WnH3XEaJmtR67OAEuEABdjBX0A3V+5lb1piwpkL7RUyOPkNEyIjSILC4c2Zn7+HaM4CP8hJ8ZEx8bCFhk
ML4PbiEQZoXuxe5D+DB8mNt6UwzyjfbMZ1CeGEWLZpkcRlBgPx75XIeh9yVyw0bHctaCr43xwnb41KuluCzXD8sLFbYpYDyQThIqUXrGtv48wIDAQAB"

<!-- gh-comment-id:92490438 --> @AlexLaroche commented on GitHub (Apr 13, 2015): For Windows DNS servers, the long DKIM keys can be broken up into multiple lines when entering the record into the DNS management tool. A single long line will be truncated at 256 characters but multiple lines will be accepted. For example, the following DKIM record would be truncated when entering it into dnsmgmt: "v=DKIM1; k=rsa; h=sha256 p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLj8Fw4H27vKcm3BVChkxgM2fjHUCQGxrp8jeYgdWRdsF3w5lWKICVawjkISzpQqF7wwgRWMNVAxxCs2opJKHpmTPsdRfRnHuqCdBgEDBUT3717k74qDCoP7TGVgQmB3DWm2vsg/LmaHpAk1OQ9MV5W0WnH3XEaJmtR67OAEuEABdjBX0A3V+5lb1piwpkL7RUyOPkNEyIjSILC4c2Zn7+HaM4CP8hJ8ZEx8bCFhkML4PbiEQZoXuxe5D+DB8mNt6UwzyjfbMZ1CeGEWLZpkcRlBgPx75XIeh9yVyw0bHctaCr43xwnb41KuluCzXD8sLFbYpYDyQThIqUXrGtv48wIDAQAB" The same record, broken up into multiple lines would be correctly stored and served by the Windows DNS server: "v=DKIM1; k=rsa; h=sha256 p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLj8Fw4H27vKcm3BVChkxgM2fjHUCQGxrp8jeYgdWRdsF3w5lWKICVawjkISzpQqF7wwgRWMNVAxxCs2opJKHpmTPsdRfRn HuqCdBgEDBUT3717k74qDCoP7TGVgQmB3DWm2vsg/LmaHpAk1OQ9MV5W0WnH3XEaJmtR67OAEuEABdjBX0A3V+5lb1piwpkL7RUyOPkNEyIjSILC4c2Zn7+HaM4CP8hJ8ZEx8bCFhk ML4PbiEQZoXuxe5D+DB8mNt6UwzyjfbMZ1CeGEWLZpkcRlBgPx75XIeh9yVyw0bHctaCr43xwnb41KuluCzXD8sLFbYpYDyQThIqUXrGtv48wIDAQAB"
kerem commented 2026-02-26 10:35:34 +03:00
Author
Owner
Copy link

@AlexLaroche commented on GitHub (Apr 24, 2015):

Please reopen if the problem isn't solved.

<!-- gh-comment-id:96076428 --> @AlexLaroche commented on GitHub (Apr 24, 2015): Please reopen if the problem isn't solved.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/nuget/Src/Configuration.DkimSigner/MimeKit-4.7.1
Ed25519-SHA256
feature/dkim-verify
coverity_scan
v3.4.1.2
v3.4.2
v3.4.1.1
v3.4.1
v3.4.0
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.2.9
v3.2.8
v3.2.7
3.2.6
v3.2.5
v3.2.4
v3.2.4-alpha
v3.2.3.1
v3.2.3
v3.2.2
v3.2.0
v3.1.0
v3.0.13
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v3.0.0-beta.2
v3.0.0-beta
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.5-beta.2
v2.1.5-beta
v2.1.4
v2.1.3
v.2.1.2
v2.1.1
v2.1.0
v2.0.3
v2.0.2
v2.0.1
v2.0.0-beta.4
v2.0.0-rc.1
v2.0.0-beta.3
v2.0.0-beta.2
v2.0.0-beta
v2.0.0-alpha.1
v2.0.0-alpha
v1.8.3
1.8.2
v1.8.1
v1.8.0
v1.7.0
v1.6.0
v1.5.2
Labels
Clear labels   
agent

   
agent

   
bug

   
bug

   
enhancement

   
gui

   
invalid

   
need-info

   
question

   
wontfix
No labels
agent
agent
bug
bug
enhancement
gui
invalid
need-info
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/dkim-exchange-Pro#64
No description provided.