OpenDKIM is failing signature verification on most incoming emails. Out of
1,146 incoming emails, 173 have been successfully verified and 973 have "bad
signature data". The failing emails include email from google, amazon,
sailthru, and many other reasonably technically capable firms that I would
expect to verify successfully. I have tested DNS lookups and have found no
issues with querying for the DKIM record. I have researched for hours trying
to find something helpful, but the few posts that aren't specifically dealing
with signing emails don't seem to address the issues I'm seeing. BTW ...
outgoing emails are signed properly and passing DKIM validation.
I'm running:
Rocky Linux release 9.5
Postfix 3.5.25
OpenDKIM 2.11.0-0.34
OpenDMARC 1.4.2-22
SpamAssassin 3.4.6-5
main.cf has the following milter declarations:
milter_default_action = accept
milter_protocol = 6
smtpd_milters =
inet:127.0.0.1:8891,inet:127.0.0.1:8893,unix:/run/spamass-milter/spamass-milter.sock
non_smtpd_milters = $smtpd_milters
master.cf has:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/libexec/postfix/policyd-sp
I currently have opendmarc config RejectFailures set to false due to this
issue. I would like to set it back to true.
Here is an example DKIM failure from the maillog:
May 8 14:40:44 primary postfix/smtpd[672210]: connect from
maile-af.linkedin.com[108.174.3.198]
May 8 14:40:45 primary postfix/smtpd[672210]: Anonymous TLS connection
established from maile-af.linkedin.com[108.174.3.198]: TLSv1.2 with cipher
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
May 8 14:40:45 primary policyd-spf[672216]: spfcheck: pyspf result: "['Pass',
'sender SPF authorized', 'helo']"
May 8 14:40:45 primary policyd-spf[672216]: Pass; identity=helo;
client-ip=108.174.3.198; helo=maile-af.linkedin.com;
envelope-from=s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com;
receiver=<UNKNOWN>
May 8 14:40:45 primary policyd-spf[672216]: spfcheck: pyspf result: "['Pass',
'sender SPF authorized', 'mailfrom']"
May 8 14:40:45 primary policyd-spf[672216]: Pass; identity=mailfrom;
client-ip=108.174.3.198; helo=maile-af.linkedin.com;
envelope-from=s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com;
receiver=<UNKNOWN>
May 8 14:40:45 primary policyd-spf[672216]: prepend Received-SPF: Pass
(mailfrom) identity=mailfrom; client-ip=108.174.3.198;
helo=maile-af.linkedin.com;
envelope-from=s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com;
receiver=<UNKNOWN>
May 8 14:40:45 primary postfix/smtpd[672210]: 603932014E:
client=maile-af.linkedin.com[108.174.3.198]
May 8 14:40:45 primary postfix/cleanup[672217]: 603932014E:
message-id=<1082066601.9633899.1746733244...@ltx1-app67844.prod.linkedin.com>
May 8 14:40:45 primary opendkim[671562]: 603932014E: maile-af.linkedin.com
[108.174.3.198] not internal
May 8 14:40:45 primary opendkim[671562]: 603932014E: not authenticated
May 8 14:40:45 primary opendkim[671562]: 603932014E: message has signatures
from maile.linkedin.com, linkedin.com
May 8 14:40:45 primary opendkim[671562]: 603932014E: signature=hpodGVG7
domain=maile.linkedin.com selector=d2048-202308-0e result="signature
verification failed"; signature=c7qBDZxE domain=linkedin.com
selector=d2048-202308-00 result="signature verification failed"
May 8 14:40:45 primary opendkim[671562]: 603932014E: bad signature data
May 8 14:40:45 primary opendmarc[754]: 603932014E: linkedin.com fail
May 8 14:40:45 primary spamd[547780]: spamd: connection from ::1 [::1]:48946
to port 783, fd 5
May 8 14:40:45 primary spamd[547780]: spamd: setuid to sa-milt succeeded
May 8 14:40:45 primary spamd[547780]: spamd: processing message
<1082066601.9633899.1746733244...@ltx1-app67844.prod.linkedin.com> for
sa-milt:988
May 8 14:40:46 primary spamd[547780]: spamd: clean message (-0.9/5.0) for
sa-milt:988 in 0.4 seconds, 87062 bytes.
May 8 14:40:46 primary spamd[547780]: spamd: result: . 0 -
DKIM_ADSP_ALL,DKIM_INVALID,DKIM_SIGNED,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HEADER_CTYPE_ONLY,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDIT
Y_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS,SPF_PASS
scantime=0.4,size=87062,user=sa-milt,uid=988,required_score=5.0,rhost=::1,raddr=::1,rport=48946,mid=<1082066601.9633899.1746733244...@ltx1-app67844.prod.linkedin.com>,aut
olearn=ham autolearn_force=no
May 8 14:40:46 primary postfix/qmgr[671668]: 603932014E:
from=<s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com>,
size=86355, nrcpt=1 (queue active)
May 8 14:40:46 primary postfix/local[672219]: 603932014E: to=<y...@xxx.com>,
orig_to=<x...@xxx.com>, relay=local, delay=0.88, delays=0.88/0/0/0, dsn=2.0.0,
status=sent (delivered to mailbox)
May 8 14:40:46 primary postfix/qmgr[671668]: 603932014E: removed
Here are example headers from an email that failed:
Return-Path: <delivery_20250508155820.39786194.374...@bouncest.seekingalpha.com>
X-Original-To: x...@xxx.com
Delivered-To: y...@xxx.com
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.64.236.197;
helo=mta236-197.sailthru.com;
envelope-from=delivery_20250508155820.39786194.374...@bouncest.seekingalpha.com;
receiver=<UNKNOWN> DMARC-Filter: OpenDMARC Filter v1.4.2 xxx.xxx.com
C93372014E
Authentication-Results: OpenDMARC; dmarc=fail (p=quarantine dis=none)
header.from=seekingalpha.com
DKIM-Filter: OpenDKIM Filter v2.11.0 xxx.xxx.com C93372014E
Authentication-Results: xxx.xxx.com;
dkim=fail reason="signature verification failed" (1024-bit key, unprotected)
header.d=seekingalpha.com header.i=acco...@seekingalpha.com header.a=rsa-sha256
header.s=sailthru header.b=TPGE51O3
Received: from mta236-197.sailthru.com (mta236-197.sailthru.com
[192.64.236.197])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
(No client certificate requested)
by xxx.xxx.com (Postfix) with ESMTPS id C93372014E
for <x...@xxx.com>; Thu, 8 May 2025 14:58:21 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=sailthru;
d=seekingalpha.com;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
List-Unsubscribe-Post:List-Unsubscribe; i=acco...@seekingalpha.com;
bh=FCQykKB53iTKMbiQdQIBzJJvCkiK62WqM9lvqYBuXiM=;
b=TPGE51O33zqGWAvJNIIERbISsEQpXrB7745+sSy6Sq7ffVlQWE1iIklbwbw6DpM/jiNHN7+43iMw
Ml6ciI9zHHVwHyKYw87syYir9iTPdPkt32EHJSWJ9Qwhf728j18JZQYIF99GbdQO7f8nv4i45H9m
3rh/kuJ2he9/dAB5UpI=
Received: from aws1-mta-relay2.sailthru.cloud (10.55.73.49) by
pmta39.sailthru.com id h3k6do3791s5 for <x...@xxx.com>; Thu, 8 May 2025
14:58:20 -0500 (envelope-from
<delivery_20250508155820.39786194.374...@bouncest.seekingalpha.com>)
Date: Thu, 8 May 2025 15:58:20 -0400 (EDT)
From: Must Reads <acco...@seekingalpha.com>
Reply-To: mustre...@seekingalpha.com
To: x...@xxx.com
Message-ID: <20250508155820.39786194.374...@sailthru.com>
Subject: Must Reads: Build A 12%+ Yield On Cost By 2035 With May's Top 10
High-Yield Picks
Content-Type: multipart/alternative;
boundary="----=_Part_75818925_56239244.1746734300700"
Precedence: bulk
x-job: 9033-39786194-20250508
X-Feedback-ID: 9033:39786194:campaign:sailthru
X-TM-ID: 20250508155820.39786194.374146
X-Info: Message sent by sailthru.com customer Seeking Alpha
X-Info: We do not permit unsolicited commercial email
X-Info: Please report abuse by forwarding complete headers to
X-Info: ab...@sailthru.com
X-JMailer: aws-campaign-mailer-24.sailthru.cloud
List-Unsubscribe-Post: List-Unsubscribe=One-Click
X-Unsubscribe-Web:
https://email-st.seekingalpha.com/oc/60abf181ef8c55711e279b55nor82.80oy/5eec21d4
List-Unsubscribe:
<https://email-st.seekingalpha.com/oc/60abf181ef8c55711e279b55nor82.80oy/5eec21d4>,<mailto:unsubscribe_20250508155820.39786194.374...@mx.sailthru.com>
X-rpcampaign: stnjl39786194
X-Spam-Status: No, score=1.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
HTML_IMAGE_RATIO_08,HTML_MESSAGE,INVESTMENT_ADVICE,
MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,
MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,RCVD_IN_VALIDITY_RPBL_BLOCKED,
RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED
autolearn=no autolearn_force=no version=3.4.6
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on xxx.xxx.com
Please let me know if I can provide any additional information that might help
uncover the problem.
THANK YOU in advance for any light you can shine on this issue!!!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
