> On Jun 7, 2016, at 9:06 AM, Simon <s...@4lists.simonliebold.de> wrote: > > Hello List, > > For quite some time I am noticing DKIM temperrors in DMARC reports > (exclusively) from Microsoft. Until today I wasn't able to track down > whatever is causing this: > > If a DKIM selector is a CNAME pointing to a 1024 bit key it returns a > DKIM "pass". But if the selector points to a 2048 bit key it returns a > DKIM "temperror".
The 2048 bit key plus the CNAME gives a reply packet big enough that the UDP reply to a non-edns query is truncated. Retrying over TCP works, but a DNS resolver that doesn't do TCP would just error out. That's probably why the DKIM temperror. If you make your reply small enough that a UDP reply works (either by not using the CNAME in the same zone, or by using a slightly smaller key) I expect it'd go away. > > My test setup: > 2016Q2-1024._domainkey.simonliebold.de => dkim=pass > 2016Q2._domainkey.simonliebold.de => dkim=temperror > > I am wondering if anyone spotted this in the DMARC reports from Microsoft. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop