DKIM Fail

Discussions on webmail and the Professional version.
Post Reply
doberman
Posts: 6
Joined: Fri Oct 20, 2017 1:12 pm
Location: Florida, USA

DKIM Fail

Post by doberman »

I have a filter setup to catch DKIM Fail and then pass those emails to quarantine for further review. Many times when I test these DKIM failures at other sites, dkimcore.org, dmarcanalyzer.com and dmarican.com, the DKIMs pass. How is MailEnable processing different form other leading sites?

Here is an example of a failed DKIM by MailEnable.

Code: Select all

Received-SPF: pass (mydomain.com: domain of welcome.aexp.com designates 148.173.91.83 as permitted sender)
	client-ip=148.173.91.83
Received: from ([127.0.0.1]) with MailEnable ESMTPS; Sat, 11 Nov 2017 07:04:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; d=welcome.aexp.com; s=prod-selector; c=relaxed/relaxed;
	q=dns/txt; i=@welcome.aexp.com; t=1510387448;
	h=From:Reply-To:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
	bh=IhAKKK1ho2yEHfHlNxPe3SijRNz+4o4rhvMkx3W2r60=;
	b=VjOPX2gyEEsQICGhz5Tp0bqO4FmA1Ko/H99dHtW1WxwqgABhi5FA5UnOEKprsFGn
	MXLYsRk6RqNw7C0EMzhkyo6VKMiZCL6OdkjtqqZeRmPRtCWb4fcHLJV+5p8x3hdW
	dgli7i6DPXR4GcoC/oNTB6acJcXdxEmAd1SfK0AeoM0=;
X-MSFBL: amVnbGlAYXBwbHluZXR3b3Jrcy5jb21AdHJhbnNhY3Rpb25hbF80WDQ4QHRyYW5z
	YWN0aW9uYWxAJXZjdHhfbWVzc3thbWV4X01lc3NhZ2VJRH0=
Date: Sat, 11 Nov 2017 01:04:08 -0700
From: "American Express" <AmericanExpress@welcome.aexp.com>
Reply-To: "" <DoNotReplyUS@service.americanexpress.com>
To: <email@mydomain.com>
MIME-Version: 1.0
Subject: =?UTF-8?B?WW91ciBOb3ZlbWJlciAyMDE3IFN0YXRlbWVudCBpcyBSZWFkeQ==?=
Message-ID: <HEALTUSE20171109100923035247TI.AGNEUBBK0001001.MYCA@welcome.aexp.com>
Content-Type: multipart/alternative;
  boundary="oIS98GC92aEsha2g4Cr4Rv7NQdFXzY2XU0W6WA=="
X-ME-CountryOrigin: US
X-ME-Bayesian: 0.000000
X-ME-DKIM: FAIL
DKIMpass.png
DKIMpass.png (45.67 KiB) Viewed 29315 times

Thanks!

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: DKIM Fail

Post by Brett Rowbotham »

It looks as if you are checking that there is a valid DKIM key rather than checking the email itself.

Use the checker at https://9vx.org/~dho/dkim_validate.php and paste the entire raw contents of the email to check whether DKIM is passing or failing.

Cheers,
Brett

doberman
Posts: 6
Joined: Fri Oct 20, 2017 1:12 pm
Location: Florida, USA

Re: DKIM Fail

Post by doberman »

I ran the email through the site that Brett recommended (thanks!) and the results were:
Results: fail
signature identity: @welcome.aexp.com
verify result: fail (body has been altered)

What are the different validation processes that occur when checking the DKIM key vs checking the email itself? I mean, why does the DKIM key validate (including SPF and DMARC), but the email as a whole fails? I've tried to locate information on this, but could not.

Thank you.

doberman
Posts: 6
Joined: Fri Oct 20, 2017 1:12 pm
Location: Florida, USA

Re: DKIM Fail

Post by doberman »

I continue to get more DKIM Fail messages when the actual key is valid. Could someone explain how MailEnable evaluates emails with DKIM signatures? I've looked in the documentation and it seemed that if the DKIM signature passed, then everything was okay.

Latest DKIM Fails from:
  • mailenable.com (when signing up for subscription)
  • chase.com
  • americanexpress.com
  • lafitness.com
I don't mean to be a pain, but I'm just trying to understand this process. Thanks! :)

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Re: DKIM Fail

Post by MartynK »

Did anyone get to the bottom of this, I am having the same problem and well known domains are failing ?

kenedy
Posts: 1
Joined: Sun Mar 04, 2018 6:41 am

Re: DKIM Fail

Post by kenedy »

I am supporting Brett Rowbotham's ideas and comments....
Graduated from [url=http://www.soran.edu.iq/] Soran [/url] University with First Class Degree with Honours in Computer Science.

dbly
Posts: 54
Joined: Wed Aug 20, 2008 9:18 pm

Re: DKIM Fail

Post by dbly »

DKIM is used to sign the contents of the message to insure that the message body and key headers haven't changed since it was composed. Something to remember is while the KEY may be valid, it may not be the CORRECT key for the message.

Think of it this way - in your pocket you have a ring of keys. Each of those keys goes to different locks. Each of those keys, in and of itself, is a good key. They are valid.

However, the key to your house isn't valid for your car. The key for your car isn't valid for the lock on the shed. The key for the shed isn't valid for your spouse's car, etc.

When you test the key in most online test suites you are really only testing the key for valid syntax. You are not testing to see if the key actually matches the message that it is being used to sign. In many of the tests they don't even give you the ability to upload the message so it can even be checked.

One notable exception to this one ( https://9vx.org/~dho/dkim_validate.php ) that as posted earlier in the thread. That one *DOES* validate the key against the message instead of just checking to see if the key is properly constructed.

I see DKIM failures on my systems all of the time, and not just from minor domains either. For example my users get a lot of notifications from American Express, and anything and everything that comes from @email.americanexpress.com fails DKIM testing because while the message is signed they neglected (at least as of the date that write this) to put their public key in DNS, and as such the message can't be checked against it and it fails. However, the messages from merchantservices@americanexpress.com to the same users do have valid signatures.

Post Reply