> On May 26, 2017, at 8:00 AM, Carl Byington <c...@five-ten-sg.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Using sendmail with opendkim for signing mostly works, but I have a few > domains with dmarc p=reject, and looking at the aggregate reports, I am > seeing some dkim=fail, spf=pass on a small amount of mail going to > google, comcast, etc. The aggregate reports show that mail is signed > with the right selector (default._domainkey.lynchexhibits.com). > > lynchexhibits.com mail leaving ns27.routerdog2.com. > > I have been unable to reproduce this by sending test messages to my > google test account. It may not be specific to sendmail/opendkim, since > I also see the same infrequent errors with another domain: > > mbmg-media.com mail leaving *.outbound.protection.outlook.com. > > Of course, that mail was never touched by sendmail/opendkim. > > Any ideas for debugging this?
Check for common factors in the content. A common-ish cause of DKIM failures is messages which are badly-formed - not necessarily spec-violating, but unusual in structure, encoding, line length and so on. Also check for common delivery paths - if it's being forwarded through, say, anything in outlook.com that's another sign. You'll likely need more than aggregate reports to diagnose fully. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop