Closed solracsf closed 7 years ago
Can you send an email to checkmyauth@auth.returnpath.net and check-auth@verifier.port25.com and post your results here.
Port25 results
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com. The service allows email senders to perform
a simple check of various sender authentication mechanisms. It is provided
free of charge, in the hope that it is useful to the email community. While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.
Thank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: permerror
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: mail.domain.tld
Source IP: 89.38.xxx.xxx
mail-from: user@domain.tld
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mailfrom=user@domain.tld
DNS record(s):
domain.tld. SPF (no records)
domain.tld. 300 IN TXT "v=spf1 mx -all"
domain.tld. 300 IN MX 1 mail.domain.tld.
mail.domain.tld. 300 IN A 89.38.xxx.xxx
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=user@domain.tld
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: permerror (invalid key: invalid character U+0022 in base64 data)
ID(s) verified:
Canonicalized Headers:
to:checkmyauth@auth.returnpath.net,'20'check-auth@verifier.port25.com'0D''0A'
from:Carlos'20'Ferreira'20'<user@domain.tld>'0D''0A'
subject:Checking'20'SPF,'20'DKIM'20'and'20'DMARC'0D''0A'
date:Sat,'20'11'20'Mar'20'2017'20'13:30:30'20'+0100'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=domain.tld;'20's=mail;'20't=1489235426;'20'bh=aUBG3uU09xpfpQCKdRCOHMAhNMqXt1hzItBzJSAiuXI=;'20'h=To:From:Subject:Date:From;'20'b=
Canonicalized Body:
This'20'is'20'a'20'multi-part'20'message'20'in'20'MIME'20'format.'0D''0A'
--------------E5A746D0A96A7A70B994D093'0D''0A'
Content-Type:'20'text/plain;'20'charset=utf-8;'20'format=flowed'0D''0A'
Content-Transfer-Encoding:'20'7bit'0D''0A'
'0D''0A'
This'20'is'20'just'20'a'20'test'20'for'20'checking'20'SPF,'20'DKIM'20'and'20'DMARC'0D''0A'
'0D''0A'
'0D''0A'
--------------E5A746D0A96A7A70B994D093'0D''0A'
Content-Type:'20'text/html;'20'charset=utf-8'0D''0A'
Content-Transfer-Encoding:'20'7bit'0D''0A'
'0D''0A'
<html>'0D''0A'
'20''20'<head>'0D''0A'
'0D''0A'
'20''20''20''20'<meta'20'http-equiv="content-type"'20'content="text/html;'20'charset=utf-8">'0D''0A'
'20''20'</head>'0D''0A'
'20''20'<body'20'bgcolor="#FFFFFF"'20'text="#000000">'0D''0A'
'20''20''20''20'<p><font'20'size="-1"><font'20'face="Calibri">This'20'is'20'just'20'a'20'test'20'for'20'checking'0D''0A'
'20''20''20''20''20''20''20''20''20''20'SPF,'20'DKIM'20'and'20'DMARC</font></font><br>'0D''0A'
'20''20''20''20'</p>'0D''0A'
'20''20'</body>'0D''0A'
</html>'0D''0A'
'0D''0A'
--------------E5A746D0A96A7A70B994D093--'0D''0A'
DNS record(s):
mail._domainkey.domain.tld. 300 IN TXT ""v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbUWctLr8yRhcc1VgZ8axyqsbSlgWioLHUqgz8UA31pYbe4GVbUvioFx0+LXAj2qxbMqqDLqEG24llNTBwXZx2pYaHMDLPTAXEHXFmZME/3j130YFVWZ9zt1cl7v6PqtQADJ9iaYZuJVWDrmrTCqWjakDjm5iCbPtWVU0B1S1INCRYvxQrXGSAXnJoq3aLMB1ENlInLyFkHym/Ae8qmOkLcuzxTJZXb4dlyNEDgKXW63UQqcMlTf0LMRGSFtjqFh5eiN6lwpv2jT76vgzHXDcIwlwx92eiV0wHQboBWDa9yZVofaQzjxVzheBFUo2qv8IFA3OHG+dylLH+m3rzVZnQIDAQAB""
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)
Result: ham (-0.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[89.38.xxx.xxx listed in bb.barracudacentral.org]
0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL
was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[89.38.xxx.xxx listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================
SPF and Sender-ID Results
=========================
"none"
No policy records were published at the sender's DNS domain.
"neutral"
The sender's ADMD has asserted that it cannot or does not
want to assert whether or not the sending IP address is authorized
to send mail using the sender's DNS domain.
"pass"
The client is authorized by the sender's ADMD to inject or
relay mail on behalf of the sender's DNS domain.
"policy"
The client is authorized to inject or relay mail on behalf
of the sender's DNS domain according to the authentication
method's algorithm, but local policy dictates that the result is
unacceptable.
"fail"
This client is explicitly not authorized to inject or
relay mail using the sender's DNS domain.
"softfail"
The sender's ADMD believes the client was not authorized
to inject or relay mail using the sender's DNS domain, but is
unwilling to make a strong assertion to that effect.
"temperror"
The message could not be verified due to some error that
is likely transient in nature, such as a temporary inability to
retrieve a policy record from DNS. A later attempt may produce a
final result.
"permerror"
The message could not be verified due to some error that
is unrecoverable, such as a required header field being absent or
a syntax error in a retrieved DNS TXT record. A later attempt is
unlikely to produce a final result.
DKIM and DomainKeys Results
===========================
"none"
The message was not signed.
"pass"
The message was signed, the signature or signatures were
acceptable to the verifier, and the signature(s) passed
verification tests.
"fail"
The message was signed and the signature or signatures were
acceptable to the verifier, but they failed the verification
test(s).
"policy"
The message was signed but the signature or signatures were
not acceptable to the verifier.
"neutral"
The message was signed but the signature or signatures
contained syntax errors or were not otherwise able to be
processed. This result SHOULD also be used for other
failures not covered elsewhere in this list.
"temperror"
The message could not be verified due to some error that
is likely transient in nature, such as a temporary inability
to retrieve a public key. A later attempt may produce a
final result.
"permerror"
The message could not be verified due to some error that
is unrecoverable, such as a required header field being
absent. A later attempt is unlikely to produce a final result.
==========================================================
Original Email
==========================================================
Return-Path: <user@domain.tld>
Received: from mail.domain.tld (89.38.xxx.xxx) by verifier.port25.com id hofmu820i3g5 for <check-auth@verifier.port25.com>; Sat, 11 Mar 2017 07:30:28 -0500 (envelope-from <user@domain.tld>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=user@domain.tld
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=user@domain.tld
Authentication-Results: verifier.port25.com; dkim=permerror (invalid key: invalid character U+0022 in base64 data)
Received: from localhost (localhost [127.0.0.1])
by mail.domain.tld (Postfix) with ESMTP id C6F39318B;
Sat, 11 Mar 2017 12:30:26 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mail.domain.tld
Received: from mail.domain.tld ([127.0.0.1])
by localhost (mail.domain.tld [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pgbF05FR6MoJ; Sat, 11 Mar 2017 12:30:26 +0000 (UTC)
Received: from authenticated-user (mail.domain.tld [127.0.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: user@domain.tld)
by mail.domain.tld (Postfix) with ESMTPSA id 243B5A4C;
Sat, 11 Mar 2017 12:30:26 +0000 (UTC)
Authentication-Results: mail.domain.tld; dmarc=fail header.from=domain.tld
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domain.tld; s=mail;
t=1489235426; bh=aUBG3uU09xpfpQCKdRCOHMAhNMqXt1hzItBzJSAiuXI=;
h=To:From:Subject:Date:From;
b=UHDsdVwaL/pMNDzb+uq11EOlkzefcrC1FYU1gwsHf0TViUH0FuMLEWh7j/UHQYHGR
er82o29LzcBGPgqe6zwVXx5VB9KLAEWyMx3E/+e3wkwK+Hp2ylQbNNMGtTklRHjm8v
1Rbm+HE79rTnWTGf6PllkQyIZAPBhPXilWEUGr4y2XCGIlIq2HzsMuUs/2MRoTWu6X
5IkEQSqI8p0s4HB4Jec7Oyz4M5obCL8v66/GevGB+sZi/fOUTu6f60iUMtpASb0n7G
ZwyRijmBqInUQRUjr3Bpo/l5RQfzx6koFeVeND6maafLARV7uDtorw/ep+YgBKw7i3
PA2MgoFNPjekQ==
To: checkmyauth@auth.returnpath.net, check-auth@verifier.port25.com
From: Carlos Ferreira <user@domain.tld>
Subject: Checking SPF, DKIM and DMARC
Message-ID: <aa424075-226d-76c9-38f3-c5a3ef64164f@domain.tld>
Date: Sat, 11 Mar 2017 13:30:30 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------E5A746D0A96A7A70B994D093"
This is a multi-part message in MIME format.
--------------E5A746D0A96A7A70B994D093
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
This is just a test for checking SPF, DKIM and DMARC
--------------E5A746D0A96A7A70B994D093
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="-1"><font face="Calibri">This is just a test for checking
SPF, DKIM and DMARC</font></font><br>
</p>
</body>
</html>
--------------E5A746D0A96A7A70B994D093--
dkim=permerror (invalid key: invalid character U+0022 in base64 data)
Check your _domainkey record.
cat /mnt/docker/mail/opendkim/domain.tld/mail.txt
MUST BE EQUAL TO :
dig +short TXT mail._domainkey.domain.tld
The TXT file outputs weird (with line breaks), but i think they are EQUAL.
user@mail:/# cat /mnt/docker/mail/opendkim/domain.tld/mail.txt
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbUWctLr8yRhcc1VgZ8axyqsbSlgWioLHUqgz8UA31pYbe4GVbUvioFx0+LXAj2qxbMqqDLqEG24llNTBwXZx2pYaHMDLPTAXEHXFmZME/3j130YFVWZ9zt1cl7v6PqtQADJ9iaYZuJVWDrmrTCqWjakDjm5iCbPtWVU0B1S1INCRYvxQrXGSAXnJoq3aLMB1ENlInLyFkHym/"
"Ae8qmOkLcuzxTJZXb4dlyNEDgKXW63UQqcMlTf0LMRGSFtjqFh5eiN6lwpv2jT76vgzHXDcIwlwx92eiV0wHQboBWDa9yZVofaQzjxVzheBFUo2qv8IFA3OHG+dylLH+m3rzVZnQIDAQAB" ) ; ----- DKIM key mail for domain.tld
user@mail:/# dig +short TXT mail._domainkey.domain.tld
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbUWctLr8yRhcc1VgZ8axyqsbSlgWioLHUqgz8UA31pYbe4GVbUvioFx0+LXAj2qxbMqqDLqEG24llNTBwXZx2pYaHMDLPTAXEHXFmZME/3j130YFVWZ9zt1cl7v6PqtQADJ9iaYZuJVWDrmrTCqWjakDjm5iCbPtWVU0B1S1INCRYvxQrXGSAXnJoq3aLMB1" "ENlInLyFkHym/Ae8qmOkLcuzxTJZXb4dlyNEDgKXW63UQqcMlTf0LMRGSFtjqFh5eiN6lwpv2jT76vgzHXDcIwlwx92eiV0wHQboBWDa9yZVofaQzjxVzheBFUo2qv8IFA3OHG+dylLH+m3rzVZnQIDAQAB"
It's BIND file format, widely adopted by other DNS system like NSD. What type of authoritative server do you use ?
Well, i'm using my registrar DNS system, BIND9
based.
I don't know why, but i've juste replaced again) the content of my record after cleaning it at http://dkimcore.org/c/keycheck and it works now...almost.
I still have two Authentication-Results
headers with different results on DMARC
:
1st
mx.google.com; dkim=pass header.i=@domain.tld; spf=pass (google.com: domain of c.ferreira@domain.tld designates 89.38.xxx.xxx as permitted sender) smtp.mailfrom=c.ferreira@domain.tld; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=domain.tld
2nd
mail.domain.tld; dmarc=fail header.from=domain.tld
Maybe related to https://github.com/hardware/mailserver/issues/86?
Maybe related to #86?
Yes, you can ignore it.
My DKIM tests are a bit strange.
When sending and email to a GMail account:
mx.google.com; dkim=fail header.i=@domain.tld; spf=pass (google.com: domain of user@domain.tld designates 89.38.xxx.xxx as permitted sender) smtp.mailfrom=user@domain.tld; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=domain.tld
mail.domain.tld; dmarc=fail header.from=domain.tld
Using http://www.appmaildev.com/en/dkim/