Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation?
> On May 9, 2025, at 8:04 AM, Ken Biggs via Postfix-users > <postfix-users@postfix.org> wrote: > > I'm running spamass-milter. > /etc/mail/spamassassin/v312.pre already has loadplugin > Mail::SpamAssassin::Plugin::DKIM. > Not seeing AuthRes anywhere in /etc/mail/spamassassin. > So, I'm assuming the X-Spam-Status: tests=DKIM_INVALID,DKIM_SIGNED are > SpamAssassin's agreement with OpenDKIM's Authentication-Results: dkim=fail > reason="signature verification failed". I haven't seen any conflict between > the dkim validation results so far. > > It's great to know Matus is using the same combination and not seeing > frequent DKIM failures, so it's my setup somehow. > > I'm not using smtp proxy and I don't believe I have any content filter set > up. > > I've tried running opendkim as the only milter (commenting out opendmarc and > spamassassin). There were no changes to validation results. > > >> On May 9, 2025, at 6:17 AM, Matus UHLAR - fantomas via Postfix-users >> <postfix-users@postfix.org> wrote: >> >> On 09.05.25 12:58, Dmitriy Alekseev via Postfix-users wrote: >>> Did maybe you considering spin up rspamd proxy + normal instead of >>> sa+opendkim+opendmarc, even if you do not move in end to rspamd you will at >>> least get what issue relates to. It useless to honestly trying to analyze >>> eml with modifications due to anonymization in scope of understanding why >>> dkim broken, because now it's definitely broken ;) >> >> This makes no sense. I use the mentioned combination and have no issue with >> it. >> >> If OP uses content filter in front of the mailserver, changing spam >> filtering will not fix the issue. >> >> Dan has already recommended checking DKIM in SpamAssassin to see if it helps. >> >>> On Fri, 9 May 2025, 09:30 Matus UHLAR - fantomas via Postfix-users, < >>> postfix-users@postfix.org> wrote: >>> >>>> On 08.05.25 15:06, Ken Biggs via Postfix-users wrote: >>>>> OpenDKIM is failing signature verification on most incoming emails. Out >>>> of >>>>> 1,146 incoming emails, 173 have been successfully verified and 973 have >>>>> "bad signature data". The failing emails include email from google, >>>>> amazon, sailthru, and many other reasonably technically capable firms >>>>> that I would expect to verify successfully. I have tested DNS lookups >>>> and >>>>> have found no issues with querying for the DKIM record. I have >>>> researched >>>>> for hours trying to find something helpful, but the few posts that >>>> aren't >>>>> specifically dealing with signing emails don't seem to address the >>>> issues >>>>> I'm seeing. BTW ... outgoing emails are signed properly and passing >>>> DKIM >>>>> validation. >>>>> >>>>> I'm running: >>>>> Rocky Linux release 9.5 >>>>> Postfix 3.5.25 >>>>> OpenDKIM 2.11.0-0.34 >>>>> OpenDMARC 1.4.2-22 >>>>> SpamAssassin 3.4.6-5 >>>>> >>>>> main.cf has the following milter declarations: >>>>> milter_default_action = accept >>>>> milter_protocol = 6 >>>>> smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893 >>>> ,unix:/run/spamass-milter/spamass-milter.sock >>>>> non_smtpd_milters = $smtpd_milters >>>>> >>>>> master.cf has: >>>>> policyd-spf unix - n n - 0 spawn >>>>> user=policyd-spf argv=/usr/libexec/postfix/policyd-sp >>>>> >>>>> I currently have opendmarc config RejectFailures set to false due to this >>>> issue. I would like to set it back to true. >>>> >>>> is your server behind a content filter? >>>> Don't you use smtp proxy by any chance? >> >> -- >> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >> Warning: I wish NOT to receive e-mail advertising to this address. >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >> I feel like I'm diagonally parked in a parallel universe. >> _______________________________________________ >> Postfix-users mailing list -- postfix-users@postfix.org >> To unsubscribe send an email to postfix-users-le...@postfix.org > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org