mjl-
commented
1 year ago Hi @sherief, the problem in this case is that gmail doesn't support DKIM signatures with the ed25519 algorithm. That's why it marks them as "fail". It's not actually a problem for deliverability because the DKIM rsa signature is recognized, verified and passes.
In theory, mail servers are not allowed (by the DKIM specification) to hold (their) failures like the unrecognized ed25519 algorithm against you. Luckily, I believe practice matches theory on this topic. Gmail's dkim check results in an overall dkim pass.
Mox adds two signatures to outgoing email by default (with the quickstart), both an RSA and an ed25519 signature. The idea is to get more mail servers over from rsa to ed25519. The advantage of ed25519 over rsa for dkim are: 1. modern and faster crypto; 2. smaller public keys, which is especially handy for the dns records that include them: unlike ed25519 public keys, the rsa public keys are so large they span multiple dns "strings" which always trips up people and/or dns (web) editors (e.g. the AWS Route53's zone importer). At this moment, the big mailbox providers don't implement ed25519. Not sure why, it shouldn't be hard to implement. For reference, ed25519 with dkim is specified in https://datatracker.ietf.org/doc/html/rfc8463.
If you want to get rid of the ed25519 failure in the report, you'll have to stop signing with the 2023a ed25519 selector. But that won't help with ed25519 adoption, and I don't believe it will help with any delivery issues if you have them.
For completeness, below is an explanation of relevant parts of the report.
The snippet below just says what gmail found in your DMARC record. This is the policy that it will apply. This isn't the result of the evaluation, so this doesn't say anything is rejected. It just says that if a message doesn't pass the dmarc check, gmail will reject it per your dmarc policy.
<policy_published>
<domain>sherief.fyi</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
<np>reject</np>
</policy_published>Below is the part that explains the results of gmail's dmarc (and underlying dkim/spf) evaluation. In this case, both the dkim and spf checks are passing (good!), and the dmarc "disposition" is "none" (i.e. don't do anything special, just accept the message). Other values for disposition are "quarantine" or "reject" (this would be bad if it is for legitimate messages coming from you, but desirable for bad messages, like someone pretending they are you). I think it's a bit unfortunate that the desirable final evaluation result of a dmarc report is the string <disposition>none</disposition>. When glancing over a report, it doesn't stand out as something positive (or anything at all). If it had said something like <result>pass</result>, it would have been more clear (though to be clear: even with a dmarc pass, a message can still be rejected for other reasons, this is just a report about the dmarc evaluation).
<row>
[...]
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>The part below has additional information about the dkim and spf checks that underlie the dmarc result. I.e. what led to the dkim pass and spf pass. In this case there was 1 passing dkim check, and 1 failing check, but the end result is still a dkim pass because that's enough and other failures must be ignored.
<auth_results>
<dkim>
<domain>sherief.fyi</domain>
<result>fail</result>
<selector>2023a</selector>
</dkim>
<dkim>
<domain>sherief.fyi</domain>
<result>pass</result>
<selector>2023b</selector>
</dkim>
<spf>
<domain>sherief.fyi</domain>
<result>pass</result>
</spf>Summary: the report looks good to me, and does not indicate deliverability issues.
Are you having any deliverability issues that you are trying to resolve? It could be something else.
sherief
I've received the following report from GMail for my domain:
I'm not sure I understand the failure for selector 2023a. I'm not a domain expert, but I've used tools like MxToolbox to check that selector and everything seems to be a pass (or at least give no errors / warnings in that area). Can you point me towards what might be the issue?