What breaks the validity of DKIM signature?

Sat, 20 Dec 2025 04:28:54 -0800 

Hi,

a news mail came in from firstmallorca.com. opendkim says successful
Dez 20 08:00:40 mx1 opendkim[972]: BBB3460101: mail39.wdc01.mcdlv.net [205.201.129.39] not internal 
Dez 20 08:00:40 mx1 opendkim[972]: BBB3460101: not authenticated
Dez 20 08:00:40 mx1 opendkim[972]: BBB3460101: DKIM verification successful Dez 20 08:00:40 mx1 opendkim[972]: BBB3460101: s=k1 d=firstmallorca.com a=rsa-sha256 SSL 
Dez 20 08:00:40 mx1 opendmarc[957]: BBB3460101: firstmallorca.com pass

In the mail header I get to see:
Authentication-Results: mx1.example.de; dmarc=pass (p=reject dis=none) header.from=firstmallorca.com 
Authentication-Results: mx1.example.de;
dkim=pass (1024-bit key; unprotected) header.d=firstmallorca.com [email protected] header.a=rsa-sha256 header.s=k1 header.b=t+rpCL9D; 
        dkim-atps=neutral
Received: from mail39.wdc01.mcdlv.net (mail39.wdc01.mcdlv.net [205.201.129.39])
But SA comes to the result DKIM_INVALID with a high value for DMARC_REJECT 
 X-Spam-Status: Yes, score=5.426 tagged_above=1 required=5
tests=[BAYES_00=-0.1, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, DMARC_REJECT=1.797, 
 HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,

reject confirmend
_dmarc.firstmallorca.com. 300   IN      TXT     "v=DMARC1; p=reject; rua=mailto:
I pipelined a copy of the mail (fetched with doveadm) to my DKIM-Checker: 

./scripts/check_dkim.pl < testmails/mail-dkim-firstmallorca.eml
signatures: 1
sig: d=firstmallorca.com s=k1 [email protected]
  result: fail
  detail: fail (message has been altered)
  tag v=1
  tag a=rsa-sha256
  tag c=relaxed/relaxed
  tag d=firstmallorca.com
  tag s=k1
  tag [email protected]
  tag t=1766214038
  tag x=1766484038
tag h=Subject:From:Reply-To:To:Date:Message-ID:X-MC-User:Feedback-ID: List-ID:List-Unsubscribe:List-Unsubscribe-Post:Content-Type: MIME-Version:CC:Date:Subject:From 
  tag bh=x23d1Jp8QIC6cWNg9byMPFlf9SEETe2GJc77Tr+SasY=
tag b=t+rpCL9D/ucbW17uscATkHJGdvqkotQZOXCQX50go8rJhj2MmaOFiN1vODw8L9wxl nTBrSQxIO4O9oaxh4eD2QMDAbHdF4/49i4Dq2JGODfIF+8hHxP/sbD8JTs/5Lf2gXU vEmT5LvQrit84jMe1UoDP8VKXIFKqjfBXFVSJyG8= 
overall: fail
The mail-flow is simple. Postfix -> Amavis[SpamAssassin] -> Postfix -> Dovecot(lmtp).
I need to find out what is causing the validity to be broken. What is the best way to deal with this problem? I dont want to whitelist Mailchimp(.mcdlv.net) 

Best regards,
Thomas B.

Reply via email to