Greetings, On Tue, 11 Mar 2025 22:04:01 +0100, BetaRays <[email protected]> wrote: > > I’ve set up an OpenSMTPD server with opensmtpd-filter-dkimsign for DKIM > signatures using a configuration similar to this one: > https://openports.pl/path/mail/opensmtpd-filters/dkimsign > > My DMARC is using p=quarantine, and I noticed emails are rejected as > "likely unsolicited mail" when sending to a gmail.com address, but > removing the ed25519 DKIM signature filter from my configuration seems > to fix the issue. > > DMARC reports from gmail indicate my RSA 1024 DKIM signature is valid, > but my ed25519 fails: as far as I could find, this is expected because > gmail doesn't support verifying ed25519 DKIM signatures. > > I’ve had trouble finding any DKIM verification tools that support > ed25519: Proton Mail (one of the few providers to support ed25519 DKIM > based on some articles) seems to indicate the ed25519 signature is > valid. > > I’d like to keep both for maximum compatibility while remaining > future-proof, but I’m not sure what to do about gmail. > > Are there any other tools I could use to check that my ed25519 DKIM > signatures are in fact valid, or, if the issue is simply gmail rejecting > anything with an algorithm it doesn’t know about (even though this case > is mentionned in the DKIM specification), is there a way to remove the > ed25519 signature only for that domain? (even if it means stripping an > already calculated signature) >
Have you tried to add ED25519 and after that RSA signature? I recall that I had saw some bugreport somewhere that opendkim tests only the latest DKIM signature and if unsuported, it fails. -- wbr, Kirill
