Re: [mailop] [EXT] - Re: New member, trying to bring our mail server inline.

2023-03-04 Thread Tobias Fiebig via mailop 

Heho,

> Check that no other filters alter those fields after signing.  Can
> you sign messages off-line?  Do Bcc: copies verify? (Use any off-line
> dkim verifier.)
You can also give https://email-security-scans.org/ a try and
(important!) select "Store my emails so I can download them later."
before requesting the test mail.

Then, when you click 'Download Data', you get the mbox files of the
messages as we received them; You can then try to further debug this
with dkimverify locally, i.e., edit the mbox file to change things, run
dkimverify, and see if that was what made the sig fail.

Of course, even if you store emails, as soon as you click 'Delete
Test', they are removed. ;-)

With best regards,
Tobias

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: New member, trying to bring our mail server inline.

2023-03-04 Thread Alessandro Vesely via mailop 

On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote:

Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.

“I see you've included a DKIM signature. I've retrieved the public key from 
1._domainkey.warwickri.gov


The signature failed validation. The Auth Result is fail.”



A failing signature should mean a header change.  That's also what I get from 
your posts on mailop, signature verification failed (otherwise would 've been 
body hash mismatch).  Can you turn on z= tags?  Otherwise try carefully 
comparing the signed fields, from: subject: to: date:, message-id: and the 
signature itself.


Check that no other filters alter those fields after signing.  Can you sign 
messages off-line?  Do Bcc: copies verify? (Use any off-line dkim verifier.)



Good luck
Ale
--






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: New member, trying to bring our mail server inline.

2023-03-03 Thread Salvatore Jr Walter P via mailop 
Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.

“I see you've included a DKIM signature. I've retrieved the public key from 
1._domainkey.warwickri.gov
The signature failed validation. The Auth Result is fail.”

Now I am really confused. I checked what the link you shared showed and what we 
sent to our ISP and everything seems to match up. Could it be a propagation 
issue? Our DNS host provider added the settings 2 days ago, so I assumed it 
should be working by now?


From: mailop  On Behalf Of Mark Alley via mailop
Sent: Friday, March 3, 2023 11:59 AM
To: mailop@mailop.org
Subject: [EXT] - Re: [mailop] New member, trying to bring our mail server 
inline.


The selector seems to just be "1", of which the published record appears to be 
valid in DNS.

https://tools.wordtothewise.com/dkim/check/warwickri.gov/1

DNS propagation<https://dnschecker.org/#TXT/1._domainkey.warwickri.gov> shows 
the DKIM record is resolvable across the internet, so resolution isn't the 
problem, and it appears to be syntactically valid.

@Salvatore - if you send a test message to the address provided to you on 
https://learndmarc.com, it will show you authentication results of direct 
messages from your mail server which you can use to troubleshoot authentication 
further.

- Mark Alley


On 3/3/2023 10:27 AM, Laura Atkins via mailop wrote:
Based on the headers of the message you sent here (to mailop), you have yet to 
actually publish a public key in DNS.

https://tools.wordtothewise.com/dkim/check/warwickri/1677852725

laura


On 3 Mar 2023, at 14:12, Salvatore Jr Walter P via mailop 
<mailto:mailop@mailop.org> wrote:

We are in the final stages of migrating our exchange server from 2013 to 2019.
I found out we had no SPF, DMARC, DKIM etc setup on our domains.

Trying to get us setup properly and have SPF and DMARC working, DKIM is another 
story.
Setup on the server, sent the key to our ISP for the DNS to be added.
Headers show the signature is being included.

DKIM-Signature: v=1; a=rsa-sha256; d=redacted.gov<http://redacted.gov/>; s=1; 
c=relaxed/relaxed;
t=1677851456; h=from:subject:to:date:message-id;(rest of key)


Also from the headers:


Authentication-Results: inbound.redacted.net<http://inbound.redacted.net/>;

 spf=pass smtp.mailfrom=redacted@ redacted.gov<http://redacted.gov/>;

 dkim=fail header.d= redacted.gov<http://redacted.gov/>;

 dmarc=pass (policy=none; pct=100; status=pass);

 arc=none

Any suggestion where to go from here? We are having all emails blocked by AT, 
no idea why so trying to get all our ducks in a row and make sure we are doing 
everything the “right” way.
___
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop

--
The Delivery Experts

Laura Atkins
Word to the Wise
la...@wordtothewise.com<mailto:la...@wordtothewise.com>

Email Delivery Blog: http://wordtothewise.com/blog








___

mailop mailing list

mailop@mailop.org<mailto:mailop@mailop.org>

https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop