authorized subdomain signing labeled as " DKIM Invalid (Wrong signer" ?

[ghost]

I use opendkim to sign my emails.

My opendkim SigningTable includes:

*@mail.example.com    selector._domainkey.example.com
*@example.com         selector._domainkey.example.com

and in my dns, I've published ONLY an organizational domain record

_dmarc.example.com. 5 IN TXT (
  "v=DMARC1; p=reject; sp=reject;"
  "rua=mailto:postmaster+dmarc_rua@example.com,mailto:xxxxxxx@ag.dmarcian.com;"
  "ruf=mailto:dmarc_ruf@example.com;"
  "fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;"
)

with the understanding that if a specific policy record for a subdomain does not exist in DNS, the policy from the organizational domain will be applied. i.e., for any *.example.com subdomain,

sp     Policy for subdomains of the OD     sp=reject

So with that signing policy, emails sent from the '*@mail.example.com' subdomain should to be signed by the 'example.com', and accepted as valid.

When I send from my 'mail.example.com' domain to my 'example.com' domain,

sendmail -i -f test@mail.example.com -t <<TEST
From: test@mail.example.com
To: test@example.com
Subject: test
test
TEST

The received email's signed correctly,

...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=selector; t=1464032795;
    bh=U...=;
    h=From:To:Subject:Date:From;
    z=From:=20test@mail.example.com|To:=20test@example.com
     |Subject:=20test|Date:=20Mon,=2023=20May=202016=2012:
     46:35=20-0700=20(PDT);
    b=M...=
...

But the DKIM plugin in Thunderbird, displays

DKIM Invalid (Wrong signer (should be mail.example.com)

The design here, is of course, that 'example.com' IS a valid signer for the 'mail.example.com' subdomain.

I've got

DKIM Verifier Options
    General
        Policy
            [X] Use DMARC to heuristically determinate if an e-mail should be signed

    (p.s., typo there^^ ... should be "determine", not "determinate")

checked, so it should, in principle, be getting the DMARC policy correctly.

So, the question is -- why's it saying it's not? Config in the extension, or a problem in DKIM/DMARC config?

[lieser]

Thanks for the detailed error report. Unfortunately, I was unable to reproduce your problem with the DMARC record you gave. Could you please either enable debugging and send me the output shown in the Error Console (especially the "DKIM_Verifier.DNSWrapper", "DKIM_Verifier.DMARC" and "DKIM_Verifier.Policy" part), or send one of the problematic e-mails to dkim.verifier.addon@gmail.com?

Also thanks for reporting the typo.

[ghost]

Here's the dbug output -- no errors, no warnings, only messages

2016-05-23 15:09:29 DKIM_Verifier.AuthVerifier  DEBUG   AuthResult result found: {"version":"2.0","dkim":[{"version":"2.0","result":"PERMFAIL","sdid":"example.com","auid":"@example.com","selector":"selector","errorType":"DKIM_POLICYERROR_WRONG_SDID","errorStrParams":[["mail.example.com"]],"hideFail":false,"res_num":30,"result_str":"Invalid (Wrong signer (should be mail.example.com))"}]}
2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   initialized
2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   libunboundWorker: libunbound loaded
2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   libunboundWorker: context created
2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   libunboundWorker: data: v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   libunboundWorker: qname: _dmarc.mail.example.com, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined
2016-05-23 15:09:39 DKIM_Verifier.DNSWrapper    DEBUG   result: ({data:["v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;"], rcode:0, secure:false, bogus:false})
2016-05-23 15:09:39 DKIM_Verifier.DMARC DEBUG   DMARCPolicy: ({adkim:"r", pct:100, p:"reject", domain:"mail.example.com", source:"mail.example.com"})
2016-05-23 15:09:39 DKIM_Verifier.Policy    DEBUG   shouldBeSigned: true; sdid: mail.example.com; hideFail: false; foundRule: false
2016-05-23 15:09:39 DKIM_Verifier.Verifier  DEBUG   1 DKIM-Signatures found.
2016-05-23 15:09:39 DKIM_Verifier.Verifier  DEBUG   Verifying DKIM-Signature 1 ...
2016-05-23 15:09:39 DKIM_Verifier.Verifier  DEBUG   Parsed DKIM-Signature 1: ({original_header:"DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;\r\n\ts=selector; t=1464041375;\r\n\tbh=UltdE6j5YtGeucVuwQXd1pmn+PfGfpqGVLsz+L/sUOs=;\r\n\th=From:To:Subject:Date:From;\r\n\tz=From:=20postmaster@mail.example.com|To:=20user2@example\r\n\t .com|Subject:=20test|Date:=20Mon,=2023=20May=202016=2015:\r\n\t 09:35=20-0700=20(PDT);\r\n\tb=l...Q==\r\n", warnings:[], v:"1", a_sig:"rsa", a_hash:"sha256", b:"l...Q==", b_folded:"l...Q==", bh:"U...=", c_header:"relaxed", c_body:"relaxed", d:"example.com", h:"From:To:Subject:Date:From", h_array:["from", "to", "subject", "date", "from"], i:"@example.com", i_domain:"example.com", l:null, q:"dns/txt", s:"selector", t:1464041375, x:null, z:"From:=20postmaster@mail.example.com|To:=20user2@example.com|Subject:=20test|Date:=20Mon,=2023=20May=202016=2015:09:35=20-0700=20(PDT)"})
2016-05-23 15:09:39 DKIM_Verifier.Verifier  WARN    DKIM_POLICYERROR_WRONG_SDID: DKIM Signature Error: Wrong signer (should be mail.example.com) (resource://dkim_verifier/helper.jsm:1:27) JS Stack trace: Policy_checkSDID@dkimPolicy.jsm:389:1 < verifySignature@dkimVerifier.jsm:994:1
2016-05-23 15:09:39 DKIM_Verifier.Verifier  DEBUG   Exception on DKIM-Signature 1
2016-05-23 15:09:39 DKIM_Verifier.AuthVerifier  DEBUG   save AuthResult result
2016-05-23 15:11:18 DKIM_Verifier.AuthVerifier  DEBUG   AuthResult result found: {"version":"2.0","dkim":[{"version":"2.0","result":"SUCCESS","warnings":[],"sdid":"github.com","auid":"@github.com","res_num":10,"result_str":"Valid (Signed by github.com)","warnings_str":[]}],"spf":[{"method":"spf","result":"pass","propertys":{"smtp":{"mailfrom":"noreply@github.com"},"header":{},"body":{},"policy":{}}}],"dmarc":[{"method":"dmarc","result":"pass","propertys":{"smtp":{},"header":{"from":"github.com"},"body":{},"policy":{}}}]}

[lieser]

The Problem is that a DNS query to _dmarc.mail.example.com returns a DMARC record. So you not just published a DMARC record for "example.com", but also one for the subdomain "mail.example.com". As you have stated otherwise in you initial post, this may not be intended by you.

The existence of a DMARC record in the subdomain results in the DMARC heuristic of the add-on to only set the subdomain "mail.example.com" as an allowed SDID. If only the organizational domain "example.com" would have a DMARC record, both "mail.example.com" and "example.com" would be set as allowed SDIDs.

Let me emphasizing that the DMARC option in the add-on uses the information in the DMARC header in an non standard way. So although I'm happy that you are trying to be compatible with my add-on, you do not have to do so to be standard conform. This also means I would be open to changing the current behavior of my add-on.

[ghost]

The Problem is that a DNS query to _dmarc.mail.example.com returns a DMARC record. So you not just published a DMARC record for "example.com", but also one for the subdomain "mail.example.com". As you have stated otherwise in you initial post, this may not be intended by you.

I'm not clear where that's coming from.

I have NOT published a subdomain record.

As I mentioned above,

"I've published ONLY an organizational domain record"

And verifying that,

dig TXT selector._domainkey.example.com +short @8.8.8.8
    selector._domainkey.example.com.
    "v=DKIM1; h=sha256; k=rsa; s=email; t=s;" "p=M...B;"

dig TXT selector._domainkey.mail.example.com +short @8.8.8.8
    (empty)

So, as you point out,

If only the organizational domain "example.com" would have a DMARC record, both "mail.example.com" and "example.com" would be set as allowed SDIDs.

I'm expecting exactly that^ -- that both are set as allowed SDIDs.

What have I missed?

[lieser]

From the posted debug output:

2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   libunboundWorker: data: v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
2016-05-23 15:09:39 DKIM_Verifier.libunbound    DEBUG   libunboundWorker: qname: _dmarc.mail.example.com, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined
2016-05-23 15:09:39 DKIM_Verifier.DNSWrapper    DEBUG   result: ({data:["v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;"], rcode:0, secure:false, bogus:false})

Note the qname: _dmarc.mail.example.com, which is the DNS name that the querry was for.

This shows that a TXT record exist for _dmarc.mail.example.com. In fact, it seems to returns the same DMARC record as you have said in your initial post that you have published for _dmarc.example.com.

The dig output you posted are for DKIM keys, and have nothing to do with this.

[ghost]

Wow, I must've stared at that a dozen times, seeing DKIM, thinking DMARC. PEBKAC :-/

Thanks for the catch.

I'd rm'd the dmarc reference at Dmarcian.org -- but NOT from my DNS! Now, fixed -- and your extension works as expected:

For mail send from 'user@mail.example.com', the extension header correctly reports

DKIM (Valid (Signed by 'example.com')

Thank you.

[lieser]

No Problem. Always nice to see that people are not only using the add-on, but are also taking the time to report potential issues.