DKIM validation fails - DKIM_SIGERROR_KEY_HASHNOTINCLUDED

[urmel1960]

I do have following issue: Sending a mail with Thunderbird from "name1@domain.tld" to "name2@domain.tld" and "name3@gmail.com".

Both accounts "domain.tld" and "gmail" are setup in Thunderbird.

The received mail for "name2@domain.tld" in account "domain.tld" shows an invalid hash algorithm in the DKIM key-Record. The received mail for "name3@gmail" in acoount "gmail" ist properly marked as valid signed by "domain.tld" and SPF:pass and DMARC:pass.

I am using: TB 115.7.0 (64-Bit) DKIM Verifieer Addon 5.4.0

Debug-Log:

10:30:19.412 DKIM_Verifier.Verifier WARN     Error verifying the signature DKIM_SigError: DKIM_SIGERROR_KEY_HASHNOTINCLUDED
    #checkKey moz-extension://a6018673-7d34-4e1e-8d46-252fa88bfefb/modules/dkim/verifier.mjs.js:1330
    verify moz-extension://a6018673-7d34-4e1e-8d46-252fa88bfefb/modules/dkim/verifier.mjs.js:1404
verifier.mjs.js:1454:8

Mail Source:

Return-Path: <name1@domain.tld>
X-Original-To: name2@domain.tld
Delivered-To: name2@domain.tld
Received: from [10.10.0.10] (cable-static.breitband.tld [redacted])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-extldange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by mta.domain.tld (Mailserver) with ESMTPSA id 0E0182A4D818A;
    Mon,  5 Feb 2024 10:30:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.tld; s=DKIM-FEB2024;
    t=1707125420;
    h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     to:to:cc:mime-version:mime-version:content-type:content-type:
     content-transfer-encoding:content-transfer-encoding;
    bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    b=Q7CKpfS0t0W2qpLbZaPzRO6bTVWT/RT1UPA+KvrBofrgufwV5jK8Ln7662+87ItD/w16DK
    /Ut7n7PldyJLksUhu1wx0TKaeNi4C8PiemF82oWPQ7ZKOMG5YEBodTH655cGw78KxgLWZN
    6B4zS2kW90FaWbyPfWbEMFfclwd9DbZUI8hKTSYoSmRQoGCdXyhWHo3M/yFUHBdVw+3g2U
    +7IY6sPfsI7XgQlCcvsEISqmfy0nlOUIDSoODMWR7PhYs4gG7opcybc2lHvaqAZs6u8oeG
    9DD6D1Gw4Khm9vk5hP4GKgo+fDnTdubudF5LNrE2YBTot0nYx9r4BUOQZiFPFQ==
Message-ID: <a299b7de-cc04-4a9f-81ad-bef3c355d24a@domain.tld>
Date: Mon, 5 Feb 2024 10:30:13 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: name1@domain.tld
Subject: Test
To: name3@gmail.com, name2@domain.tld
Content-Language: de-de, en-US, de-DE
Content-Type: text/plain; tldarset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

The same DKIM signed Mail is in one case marked as invalid - having errors - and in the second case it is marked als valid. Usually it should be validated in both cases as valid DKIM signed.

Maybe I have overseen something?

Any help is highly appreciated.

[lieser]

What you are describing is a very strange behavior.

Please make sure this is not a caching issue, e.g the results being stored. If you are storing the result or the DKIM keys you can force an update via the DKIM button in the header.

If the issue is persistent please enable the debug mode and post the log. You can also send it to me via email if you do not want to post it publicly.

[urmel1960]

@lieser I just sent you an email with the log.

Thanks

[lieser]

Thanks for the logs, the enabling of reading of the ARH explains the difference.

It is a problem with the h-tag in your DKIM key (h=rsa-sha256), which is invalid. It must only contain the actual hash algorithm (sha256).

See also https://github.com/lieser/dkim_verifier/issues/41#issuecomment-69327926.

Other verifiers often do not enforce the RFC as strictly as the addon which is why it works there.

[urmel1960]

I fell into the same trap as the others before me. I had also created the DNS entry with opendkim-genkey. This tool shouldn't actually accept an incorrect value for a parameter ....

Anyway - thanks for your effort - I changed the h-tag - works fine now.