lieser
commented
9 years ago The h-tag has a wrong format. Although in the DKIM signature both the signing algorithm (rsa) and the hash algorithm (sha265) are specified in the same tag, in the DKIM key record they are specified in separated tags.
So it should be v=DKIM1; h=sha256; k=rsa; p=....
See also https://github.com/lieser/dkim_verifier/issues/21#issuecomment-32156023 for the exact syntax of the h-tag.
One of my domains: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dialog.photo; s=mail; always gives invalid signing alerts (invalid hash algorithm in DKIM key record). Within the DNS it has v=DKIM1; h=rsa-sha256; k=rsa; p=...
Compared to another (working) Domain which doesn't have the "h" attribute in the TXT record. The h= was generated by the opendkim tools so it shouldn't be that wrong?.