failed to parse Authentication-Results on valid headers

[gene-git]

Some emails show above error and when accompanied by a DMARC reject policy the email is subsequently rejected.

The email in this case was from american airlines customer relations - they use exchange servers. After changing the email to be used to gmail, and re-sending, the reply went through to gmail just fine.

I examined the email sent to google and the DKIM-signature looks fine to me and google is fine with it as well - showing dkim and dmarc both pass:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aa.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh...

So seems to be a bug with OpenDKIM.

Is there any chance that a fix is in the works for opendkim?

[gene-git]

I do see Auth results header from google, but there is also another one lower down; I wonder if the second one causing a problem for opendkim? The second one looks like it should be ignored - but perhaps it isn't and that triggered the reject - not sure why opendkim is even reading that auth results at all - I'd expecting it to create one not read an un-trusted one. But perhaps someone can share how to fix this ...

thanks ;)

Authentication-Results: mx.google.com; dkim=pass header.i=@aa.com header.s=selector2 header.b=ksOGfQcS; arc=pass (i=1); spf=pass (google.com: domain of aacustomerrelations@aa.com designates 40.107.77.81 as permitted sender) smtp.mailfrom=AACustomerRelations@aa.com; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=aa.com

... Authentication-Results: spf=softfail (sender IP is 144.9.232.1) smtp.mailfrom=aa.com; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=fail action=oreject header.from=aa.com;

[gene-git]

Is there a way I can debug the milter if i save the headers I have from google - see why the milter is failing? I see a miltertest.c program but its not too clear at quick glance how I can throw a file with mail and headers and step thru debugger to see where the failure stems from?

[mikenor]

Look closely. That second Authentication-Results header is not valid. (No authserv-id.) Probably OpenDKIM's behaviour in response is incorrect. But bug title is wrong. ;-)

[gene-git]

Thanks for following up on this - and awesome to see things moving forward nicely - appreciate your looking at this.

[mikenor]

Honestly I haven't seen things moving forward. I'm just a fellow user looking at old bugs to assess how dead this project is.

[gene-git]

ok gotcha - opendmarc is very much alive which is nice - hopefully dkim and arc will likewise get more attention :)

[corrilan]

Seeing this issue too in relation to protection.outlook.com.

[up_the_irons]

I see the following in my logs:

opendkim[15609]: 0A5D11EEF20: failed to parse authentication-results: header field
opendkim[15609]: 0A5D11EEF20: bad signature data

from a particular sender that our mail server receives from NAM04-MW2-obe.outbound.protection.outlook.com

If I save that email to a file, from mutt, and run the python script dkimverify on it, I consistently get:

$ cat message.txt | python3 dkimverify.py
signature ok
$

I'm at a loss to figure out what exactly opendkim thinks is "bad" about the signature data.

Anyone know how I can debug this further?

[gene-git]

this is a zombie project - i gave up on opendkim a couple years ago.

I've switched to dkimpy which not only works well and is properly maintained but also supports elliptic curves (I sign with both RSA and EC).

good luck,

[up_the_irons]

I've been reading about it just now: https://pypi.org/project/dkimpy-milter/

Looks like I can integrate it with my Postfix setup similarly to the way I have OpenDKIM. This might be the replacement I've been looking for. Honestly, I haven't been so happy with OpenDKIM and was wondering what alternatives were out there. Thanks for the tip!

[gene-git]

Yes - i use postfix and once config set up changing milters is straightforward.