Closed ghost closed 8 years ago
Thanks for the detailed error report. Unfortunately, I was unable to reproduce your problem with the DMARC record you gave. Could you please either enable debugging and send me the output shown in the Error Console (especially the "DKIM_Verifier.DNSWrapper", "DKIM_Verifier.DMARC" and "DKIM_Verifier.Policy" part), or send one of the problematic e-mails to dkim.verifier.addon@gmail.com?
Also thanks for reporting the typo.
Here's the dbug output -- no errors, no warnings, only messages
2016-05-23 15:09:29 DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"2.0","dkim":[{"version":"2.0","result":"PERMFAIL","sdid":"example.com","auid":"@example.com","selector":"selector","errorType":"DKIM_POLICYERROR_WRONG_SDID","errorStrParams":[["mail.example.com"]],"hideFail":false,"res_num":30,"result_str":"Invalid (Wrong signer (should be mail.example.com))"}]}
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG initialized
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG libunboundWorker: libunbound loaded
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG libunboundWorker: context created
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG libunboundWorker: data: v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG libunboundWorker: qname: _dmarc.mail.example.com, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined
2016-05-23 15:09:39 DKIM_Verifier.DNSWrapper DEBUG result: ({data:["v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;"], rcode:0, secure:false, bogus:false})
2016-05-23 15:09:39 DKIM_Verifier.DMARC DEBUG DMARCPolicy: ({adkim:"r", pct:100, p:"reject", domain:"mail.example.com", source:"mail.example.com"})
2016-05-23 15:09:39 DKIM_Verifier.Policy DEBUG shouldBeSigned: true; sdid: mail.example.com; hideFail: false; foundRule: false
2016-05-23 15:09:39 DKIM_Verifier.Verifier DEBUG 1 DKIM-Signatures found.
2016-05-23 15:09:39 DKIM_Verifier.Verifier DEBUG Verifying DKIM-Signature 1 ...
2016-05-23 15:09:39 DKIM_Verifier.Verifier DEBUG Parsed DKIM-Signature 1: ({original_header:"DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;\r\n\ts=selector; t=1464041375;\r\n\tbh=UltdE6j5YtGeucVuwQXd1pmn+PfGfpqGVLsz+L/sUOs=;\r\n\th=From:To:Subject:Date:From;\r\n\tz=From:=20postmaster@mail.example.com|To:=20user2@example\r\n\t .com|Subject:=20test|Date:=20Mon,=2023=20May=202016=2015:\r\n\t 09:35=20-0700=20(PDT);\r\n\tb=l...Q==\r\n", warnings:[], v:"1", a_sig:"rsa", a_hash:"sha256", b:"l...Q==", b_folded:"l...Q==", bh:"U...=", c_header:"relaxed", c_body:"relaxed", d:"example.com", h:"From:To:Subject:Date:From", h_array:["from", "to", "subject", "date", "from"], i:"@example.com", i_domain:"example.com", l:null, q:"dns/txt", s:"selector", t:1464041375, x:null, z:"From:=20postmaster@mail.example.com|To:=20user2@example.com|Subject:=20test|Date:=20Mon,=2023=20May=202016=2015:09:35=20-0700=20(PDT)"})
2016-05-23 15:09:39 DKIM_Verifier.Verifier WARN DKIM_POLICYERROR_WRONG_SDID: DKIM Signature Error: Wrong signer (should be mail.example.com) (resource://dkim_verifier/helper.jsm:1:27) JS Stack trace: Policy_checkSDID@dkimPolicy.jsm:389:1 < verifySignature@dkimVerifier.jsm:994:1
2016-05-23 15:09:39 DKIM_Verifier.Verifier DEBUG Exception on DKIM-Signature 1
2016-05-23 15:09:39 DKIM_Verifier.AuthVerifier DEBUG save AuthResult result
2016-05-23 15:11:18 DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"2.0","dkim":[{"version":"2.0","result":"SUCCESS","warnings":[],"sdid":"github.com","auid":"@github.com","res_num":10,"result_str":"Valid (Signed by github.com)","warnings_str":[]}],"spf":[{"method":"spf","result":"pass","propertys":{"smtp":{"mailfrom":"noreply@github.com"},"header":{},"body":{},"policy":{}}}],"dmarc":[{"method":"dmarc","result":"pass","propertys":{"smtp":{},"header":{"from":"github.com"},"body":{},"policy":{}}}]}
The Problem is that a DNS query to _dmarc.mail.example.com
returns a DMARC record. So you not just published a DMARC record for "example.com", but also one for the subdomain "mail.example.com". As you have stated otherwise in you initial post, this may not be intended by you.
The existence of a DMARC record in the subdomain results in the DMARC heuristic of the add-on to only set the subdomain "mail.example.com" as an allowed SDID. If only the organizational domain "example.com" would have a DMARC record, both "mail.example.com" and "example.com" would be set as allowed SDIDs.
Let me emphasizing that the DMARC option in the add-on uses the information in the DMARC header in an non standard way. So although I'm happy that you are trying to be compatible with my add-on, you do not have to do so to be standard conform. This also means I would be open to changing the current behavior of my add-on.
The Problem is that a DNS query to _dmarc.mail.example.com returns a DMARC record. So you not just published a DMARC record for "example.com", but also one for the subdomain "mail.example.com". As you have stated otherwise in you initial post, this may not be intended by you.
I'm not clear where that's coming from.
I have NOT published a subdomain record.
As I mentioned above,
"I've published ONLY an organizational domain record"
And verifying that,
dig TXT selector._domainkey.example.com +short @8.8.8.8
selector._domainkey.example.com.
"v=DKIM1; h=sha256; k=rsa; s=email; t=s;" "p=M...B;"
dig TXT selector._domainkey.mail.example.com +short @8.8.8.8
(empty)
So, as you point out,
If only the organizational domain "example.com" would have a DMARC record, both "mail.example.com" and "example.com" would be set as allowed SDIDs.
I'm expecting exactly that^ -- that both are set as allowed SDIDs.
What have I missed?
From the posted debug output:
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG libunboundWorker: data: v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
2016-05-23 15:09:39 DKIM_Verifier.libunbound DEBUG libunboundWorker: qname: _dmarc.mail.example.com, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined
2016-05-23 15:09:39 DKIM_Verifier.DNSWrapper DEBUG result: ({data:["v=DMARC1; p=reject; sp=reject;rua=mailto:dmarc_rua@example.com,mailto:xxxxxxxx@ag.dmarcian.com;ruf=mailto:dmarc_ruf@example.com;fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;"], rcode:0, secure:false, bogus:false})
Note the qname: _dmarc.mail.example.com
, which is the DNS name that the querry was for.
This shows that a TXT record exist for _dmarc.mail.example.com
. In fact, it seems to returns the same DMARC record as you have said in your initial post that you have published for _dmarc.example.com
.
The dig output you posted are for DKIM keys, and have nothing to do with this.
Wow, I must've stared at that a dozen times, seeing DKIM, thinking DMARC. PEBKAC :-/
Thanks for the catch.
I'd rm'd the dmarc reference at Dmarcian.org -- but NOT from my DNS! Now, fixed -- and your extension works as expected:
For mail send from 'user@mail.example.com', the extension header correctly reports
DKIM (Valid (Signed by 'example.com')
Thank you.
No Problem. Always nice to see that people are not only using the add-on, but are also taking the time to report potential issues.
I use opendkim to sign my emails.
My opendkim SigningTable includes:
and in my dns, I've published ONLY an organizational domain record
with the understanding that if a specific policy record for a subdomain does not exist in DNS, the policy from the organizational domain will be applied. i.e., for any *.example.com subdomain,
So with that signing policy, emails sent from the '*@mail.example.com' subdomain should to be signed by the 'example.com', and accepted as valid.
When I send from my 'mail.example.com' domain to my 'example.com' domain,
The received email's signed correctly,
But the DKIM plugin in Thunderbird, displays
The design here, is of course, that 'example.com' IS a valid signer for the 'mail.example.com' subdomain.
I've got
checked, so it should, in principle, be getting the DMARC policy correctly.
So, the question is -- why's it saying it's not? Config in the extension, or a problem in DKIM/DMARC config?