DKIM_INVALID but DKIM is valid...

K

Klug

Well-Known Member
Jul 24, 2019
77
5
48
53
Hello all.

Previous post edited...

I have many mails going through my PMG 8.2.6 that ends up with "DKIM_INVALID" in the spam score.

However, when manually testing such a mail:
Code: 
Feb 19 17:33:48.875 [28386] dbg: dkim: using Mail::DKIM version 1.20230212
Feb 19 17:33:48.879 [28386] dbg: dkim: providing our own resolver: Mail::SpamAssassin::DnsResolver
Feb 19 17:33:48.881 [28386] dbg: dkim: performing public DKIM key lookup and signature verification
Feb 19 17:33:48.928 [28386] dbg: dkim: DKIM signature i=@domaine.fr d=domaine.fr
Feb 19 17:33:48.928 [28386] dbg: dkim: VALID DKIM, i=@domaine.fr, d=domaine.fr, s=brevo1, a=rsa-sha256, c=relaxed/relaxed, key_bits=2048, pass, matches author domain
Feb 19 17:33:48.931 [28386] dbg: dkim: DKIM signature verification result: PASS
Feb 19 17:33:48.932 [28386] dbg: dkim: performing public ARC key lookup and signature verification
Feb 19 17:33:48.933 [28386] dbg: dkim: ARC signature verification result: none
Feb 19 17:33:48.933 [28386] dbg: dkim: adsp not retrieved, author domain signature is valid
Feb 19 17:33:48.933 [28386] dbg: dkim: adsp result: - (valid a. d. signature), author domain 'domaine.fr'
Feb 19 17:33:48.936 [28386] dbg: dkim: no wl entries match author contact@domaine.fr, no need to verify sigs

.../...


Spam detection software, running on the system "pmg1.other-domain.com",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  YOU HAVE MAIL This is a test email from Domaine [https://www.domaine.fr/].
   Have a great Thursday!

Content analysis details:   (1.6 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with
                            mass-marketing (https://raptor.pccc.com/RBL)
                            [URI: sendibt2.com]
-0.0 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DMARC_PASS             DMARC pass policy
 1.0 KAM_MARKETINGBL_PCCC   Message contains URI associated with
                            mass-marketing (https://raptor.pccc.com/RBL)
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.5 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                            background
 2.0 HTML_IMAGE_ONLY_20     BODY: HTML: images with 1600-2000 bytes of words
 0.0 DC_PNG_UNO_LARGO       Message contains a single large png image
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                            Alignment

Any idea why the DKIM is validated BUT DKIM_INVALID set?
 
Last edited:
Klug said:
Any idea why the DKIM is validated BUT DKIM_INVALID set?
Click to expand...
On a hunch - check that your max spam size (GUI->Configuration->Spam Detector->Options) is as large as your max email size (GUI->Configuration->Mail Proxy->Options) - else spamassassin only sees a truncated version of the mail, which yields an invalid body-hash.

I hope this helps!
 
Do you have a log of one the emails that bounce/get rejected because of the DKIM-INVALID error? That may help.
1)Are the emails that have this error incoming or outgoing emails?
1)Are you running your own DNS? What DNS is your PMG using?
2)Are you using your PMG for DNS and doing DNSBL look ups?

I ask because I see the log:
Feb 19 17:33:48.875 [28386] dbg: dkim: using Mail::DKIM version 1.20230212
Feb 19 17:33:48.879 [28386] dbg: dkim: providing our own resolver: Mail::SpamAssassin::DnsResolver

Shot in the dark: Maybe the DKIM record is no longer valid? Did the DKIM selector change? Maybe your internal DNS has cached older records?
 
I checked the max size (found a thread about that in the forum) and fixed it.
The CLI test was done once fixed.

it happens on incoming emails.

Emails are not bounced/refused.
They all (all the ones I looked at and that had a DKIM signature) get this DKIM_INVALID while the DKIM is actually valid.
The one that get bounced are supposed to get bounced (because wrong DKIM-DMARC).

I was thinking about a resolver issue (the server runs its own unbound, it is its own "direct" resolver - no relay).

But the result of the CLI test seems ok. But wrong too 8-)

Code: 
Feb 19 17:33:48.928 [28386] dbg: dkim: DKIM signature i=@domaine.fr d=domaine.fr
Feb 19 17:33:48.928 [28386] dbg: dkim: VALID DKIM, i=@domaine.fr, d=domaine.fr, s=brevo1, a=rsa-sha256, c=relaxed/relaxed, key_bits=2048, pass, matches author domain
Feb 19 17:33:48.931 [28386] dbg: dkim: DKIM signature verification result: PASS
and at the same time:
Code: 
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 
Last edited:
Check how your unbound resolves the dkim with dig or something vs external dns
dig @127.0.0.1 TXT dkim._domainkey.domain.com
dig @8.8.4.4 TXT dkim._domainkey.domain.com

Try flushing the DNS.
unbound-control flush_zone .
or
unbound-control flush
 
Last edited:
I rebooted the server after fixing the max sizes and just before doing the CLI test.

The DKIM test is OK, there's no issue with it (so says the test I made using CLI).
I think there's something broken in my SA (but don't know what.

I eventually adjusted back DKIM_INVALID score to SA' default (it was 1.5, now back to 0.1) to avoid false positive.
 
You must log in or register to reply here.
Top Bottom
Back