Hello Phil, On Mon, 21 Nov 2016 07:59:33 +0000 Phil Pennock wrote:
> On 2016-11-21 at 11:06 +0900, Christian Balzer wrote: > > Since the "i=" field is optional, that doesn't come as a big surprise, nor > > should it be an issue. > > > > That is, if it weren't for Google, who decided to base their DKIM checks > > exclusively on this header: > > --- > > Authentication-Results: mx.google.com; > > dkim=neutral (no key) header.i=@fusioncom.co.jp; > > My last test mail to my Google account has: > > -----------------------------8< cut here >8----------------------------- > Authentication-Results: mx.google.com; > dkim=pass header.i=@spodhuis.org; > spf=pass (google.com: domain of [snip long line] > dmarc=pass (p=NONE dis=NONE) header.from=spodhuis.org > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=spodhuis.org; s=d201611; > h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; > bh=v4dMfdOoPPNw/cF+SW40HeBs1Za1xm2/PJu39sE54+4=; > b=Y2eir4Dvc1bkGpcLbKndpyxAmC0EykoVjfvvkW1Tz7n4zOiN+rD7RILY5x1anaGRSB0T/XUQEsJQTlMnKz+3zkLS4mk3g4p20W5jNiTuitLii7glRfQn7/wA1k3hAmeuTRys4R2PD1ONydHCxWVqSdvbX9oPbX9EwlfwS0AHz9SgBTiqhmF5+rV1hpk6nRIzTi/8Yjuzm0wCgXfP; > -----------------------------8< cut here >8----------------------------- > > As you can see, Google are _reporting_ `header.i` but they must be using > the d parameter, because I'm not signing with `i` (I am using Exim, > after all). > Yup, I was just about to get back to the list about this. The google error code is less then stellar when it comes to being clear and human readable. The problem was with the DNS TXT record after all, but so subtly that Exim itself didn't spot it and gave things clean bill of health when checking mails signed for that domain. To wit, the record had "v=DKIM1\\\; k=rsa\\\; ..." in it, instead of a single backslash. The people responsible are being taken out to the backyard for creative lead catching courses. Again, I might have spotted this earlier if Exim itself wouldn't have been totally happy to ignore the extra garbage and concentrate on the actual yummy contents. This probably stems from Exim being a MTA and thus very much being of a "Be lenient what you accept" philosophy, but it being strict in this case would have made me realize the problem sooner. ^_- Thanks for all the ongoing effort with Exim. Regards, Christian > So I'd be looking into why Gmail might believe there's no key available; > I can find DNS TXT records for `mail._domainkey.fusioncom.co.jp` on both > the authoritative nameservers, but is there any kind of geolocation in > those results, or could the records have been temporarily unavailable? > > Because at this point, it's that, or Google temporarily deployed bad > code. > > -Phil > -- Christian Balzer Network/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/