Murray S. Kucherawy writes:
> On Tue, Jun 13, 2023 at 10:34 PM Tero Kivinen <kivi...@iki.fi> wrote:
>
> DKIM failures
> ================================================================
> 36.34% 26619 invalid DKIM record
>
> This is staggering. Can you characterize what the most common malformations
> are?
I think most of those are missing keys. I.e., there is no key in the
dns at all for that header.d and header.s.
This might be caused by having some internal machine doing the DKIM
signing but not publishing the actual DKIM records in the dns at all.
Sometimes there is another DKIM record that will pass like this:
ARC-Authentication-Results: i=1;
MTA-v4;
dkim=none ("invalid DKIM record") header.d=ernieball.com
header.s=ci-ernieball header.b=XXX;
dkim=pass header.d=criticalimpactinc.com header.s=keyd header.b=XXX;
spf=pass (MTA-v4: XXX)
Sometimes there that was the only dkim record and then the final
result is fail:
ARC-Authentication-Results: i=1;
MTA-v4;
dkim=none ("invalid DKIM record") header.d=autostadium.fi header.s=x
header.b=XXX;
spf=pass (MTA-v4: XXX)
Note, that those are not really failures, I calculated those error
messages from dkim=none result to the statistics, as it indicates that
there was DKIM record in email, but DKIM was not set properly, so in
sense it is DKIM error, but if I remember right DKIM specification
says that not having DKIM record, or having missing keys etc in dns
are no different from each other, so both are DKIM=none...
--
kivi...@iki.fi
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
