Problems with DKIM / DMARC

[Robert H.]

Hi there,

I do have following issue:
According to DMARC reports from different providers, here one from google I do get a DKIM fail for some of my emails.


The DKIM settings are configured for domain.tld and subdomain.domain.tld (subdomain.domain.tld is the one who is failing and the active proxmox mail gateway)


the odd thing about that is, that in the DMARC report, the DKIM domain is empty, which would lead me to the idea that the mail gateway itself is sending out these emails. Could that conclusio be correct?

As far as I already did my researches, mail gateway can at the moment not add a DKIM certificat to an envelope which was sent from itself like spam reports. Would that also affect other emails like mailer daemons?

Do you have other ideas how to interpret that error?

thank you very much!

 

[Robert H.]

Here the line of the xml file which failed from another xml to human converter for better view of the empty DKIM string

 

[Stoiko Ivanov]

mail gateway can at the moment not add a DKIM certificat to an envelope which was sent from itself like spam reports. Would that also affect other emails like mailer daemons?

yes currently there is no signing for mails originating directly from the PMG
(For mails with empty envelope/bounces, you now can chose to sign based on the From-header domain instead of the envelope sender domain - this was added in PMG 8.1, but this is not applied to mails originating directly on your PMG)

does mg01.domain.at have a fitting DKIM record?
does it have a DMARC record of it's own?
how are the records for your domain.at?

P.S. I moved the thread to the English forum (you originally posted in the German subforum).

 

[Robert H.]

Thanks a lot for your quick reply and quality feedback!

yes DKIM for mg01.domain.at is set
yes main and subdomain do have a DMARC record

domain.at:
dmarc: v=DMARC1; p=none; rua=mailto:dmarc@domain.at; ruf=mailto:dmarc@domain.at; rf=afrf;

mg01.domain.at:
dmarc: v=DMARC1; p=none; rua=mailto:dmarc@domain.at; ruf=mailto:dmarc@domain.at; rf=afrf;

DKIM values of emails passing through are all correct (mailserver -> PMG -> receiver) (I do get a lot pass for DKIM)

Some emails according to the xmls I'm getting are simply not signed. I'll try playing around with the envelope feature from 8.1, maybe there are really some mails which are passed through but not signed, but it feels like the issue are the mails sent out by the gateway itself.

Just for the case someone else is having this issue thats the feature request link: https://bugzilla.proxmox.com/show_bug.cgi?id=2971

 

[Stoiko Ivanov]

Some emails according to the xmls I'm getting are simply not signed. I'll try playing around with the envelope feature from 8.1, maybe there are really some mails which are passed through but not signed, but it feels like the issue are the mails sent out by the gateway itself.

this could very well be - looking into this (along with ARC) is on our roadmap - although I cannot promise a date when it will be available...
related issues :
https://bugzilla.proxmox.com/show_bug.cgi?id=4658
https://bugzilla.proxmox.com/show_bug.cgi?id=3423

Just for the case someone else is having this issue thats the feature request link: https://bugzilla.proxmox.com/show_bug.cgi?id=2971

this was addressed (for the largest part) with PMG 8.1.