Murray S. Kucherawy writes: > On Tue, Jun 13, 2023 at 10:34 PM Tero Kivinen <kivi...@iki.fi> wrote: > > DKIM failures > ================================================================ > 36.34% 26619 invalid DKIM record > > This is staggering. Can you characterize what the most common malformations > are?
I think most of those are missing keys. I.e., there is no key in the dns at all for that header.d and header.s. This might be caused by having some internal machine doing the DKIM signing but not publishing the actual DKIM records in the dns at all. Sometimes there is another DKIM record that will pass like this: ARC-Authentication-Results: i=1; MTA-v4; dkim=none ("invalid DKIM record") header.d=ernieball.com header.s=ci-ernieball header.b=XXX; dkim=pass header.d=criticalimpactinc.com header.s=keyd header.b=XXX; spf=pass (MTA-v4: XXX) Sometimes there that was the only dkim record and then the final result is fail: ARC-Authentication-Results: i=1; MTA-v4; dkim=none ("invalid DKIM record") header.d=autostadium.fi header.s=x header.b=XXX; spf=pass (MTA-v4: XXX) Note, that those are not really failures, I calculated those error messages from dkim=none result to the statistics, as it indicates that there was DKIM record in email, but DKIM was not set properly, so in sense it is DKIM error, but if I remember right DKIM specification says that not having DKIM record, or having missing keys etc in dns are no different from each other, so both are DKIM=none... -- kivi...@iki.fi _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc