Looking at the maillog, I notice policyd-spf is running before opendkim.  Could 
that be modifying the email before dkim validation?

> On May 9, 2025, at 8:04 AM, Ken Biggs via Postfix-users 
> <postfix-users@postfix.org> wrote:
> 
> I'm running spamass-milter.
> /etc/mail/spamassassin/v312.pre already has loadplugin 
> Mail::SpamAssassin::Plugin::DKIM.
> Not seeing AuthRes anywhere in /etc/mail/spamassassin.
> So, I'm assuming the X-Spam-Status: tests=DKIM_INVALID,DKIM_SIGNED are 
> SpamAssassin's agreement with OpenDKIM's Authentication-Results: dkim=fail 
> reason="signature verification failed".  I haven't seen any conflict between 
> the dkim validation results so far.
> 
> It's great to know Matus is using the same combination and not seeing 
> frequent DKIM failures, so it's my setup somehow.
> 
> I'm not using smtp proxy and I don't believe I have any content filter set 
> up.  
> 
> I've tried running opendkim as the only milter (commenting out opendmarc and 
> spamassassin).  There were no changes to validation results.
> 
> 
>> On May 9, 2025, at 6:17 AM, Matus UHLAR - fantomas via Postfix-users 
>> <postfix-users@postfix.org> wrote:
>> 
>> On 09.05.25 12:58, Dmitriy Alekseev via Postfix-users wrote:
>>> Did maybe you considering spin up rspamd proxy + normal instead of
>>> sa+opendkim+opendmarc, even if you do not move in end to rspamd you will at
>>> least get what issue relates to. It useless to honestly trying to analyze
>>> eml with modifications due to anonymization in scope of understanding why
>>> dkim broken, because now it's definitely broken ;)
>> 
>> This makes no sense. I use the mentioned combination and have no issue with 
>> it.
>> 
>> If OP uses content filter in front of the mailserver, changing spam 
>> filtering will not fix the issue.
>> 
>> Dan has already recommended checking DKIM in SpamAssassin to see if it helps.
>> 
>>> On Fri, 9 May 2025, 09:30 Matus UHLAR - fantomas via Postfix-users, <
>>> postfix-users@postfix.org> wrote:
>>> 
>>>> On 08.05.25 15:06, Ken Biggs via Postfix-users wrote:
>>>>> OpenDKIM is failing signature verification on most incoming emails.  Out
>>>> of
>>>>> 1,146 incoming emails, 173 have been successfully verified and 973 have
>>>>> "bad signature data".  The failing emails include email from google,
>>>>> amazon,  sailthru, and many other reasonably technically capable firms
>>>>> that I would expect to verify successfully.  I have tested DNS lookups
>>>> and
>>>>> have found no issues with querying for the DKIM record.  I have
>>>> researched
>>>>> for hours trying to find something helpful, but the few posts that
>>>> aren't
>>>>> specifically dealing with signing emails don't seem to address the
>>>> issues
>>>>> I'm seeing.  BTW ...  outgoing emails are signed properly and passing
>>>> DKIM
>>>>> validation.
>>>>> 
>>>>> I'm running:
>>>>> Rocky Linux release 9.5
>>>>> Postfix 3.5.25
>>>>> OpenDKIM 2.11.0-0.34
>>>>> OpenDMARC 1.4.2-22
>>>>> SpamAssassin 3.4.6-5
>>>>> 
>>>>> main.cf has the following milter declarations:
>>>>> milter_default_action = accept
>>>>> milter_protocol = 6
>>>>> smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
>>>> ,unix:/run/spamass-milter/spamass-milter.sock
>>>>> non_smtpd_milters = $smtpd_milters
>>>>> 
>>>>> master.cf has:
>>>>> policyd-spf  unix  -       n       n       -       0       spawn
>>>>>   user=policyd-spf argv=/usr/libexec/postfix/policyd-sp
>>>>> 
>>>>> I currently have opendmarc config RejectFailures set to false due to this
>>>> issue.  I would like to set it back to true.
>>>> 
>>>> is your server behind a content filter?
>>>> Don't you use smtp proxy by any chance?
>> 
>> -- 
>> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> I feel like I'm diagonally parked in a parallel universe.
>> _______________________________________________
>> Postfix-users mailing list -- postfix-users@postfix.org
>> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to