Re: Strange error messages

From: Todd Lyons <>
Date: Mon, 20 Dec 2010 07:53:57 -0800

On Mon, Dec 20, 2010 at 6:50 AM, John Coppens <> wrote:
> Hello people.
> I have an account at Dreamhost. I use the SMTP service to send my mail,
> and, as such, it gets signed by the served with DKIM signatures.
> Each time I post a message to the mailing list, I get a
> message from warning about a problem.
> I can't find out why these messages are generated - AFAICS,
> is not a validating service, and has nothing to do with the mailing
> list (except maybe a subscriber). Could this be a configuration error
> at Dreamhost? or at

Yes, is a subscriber to the mailing list, that's my
personal mail account, and I am subscribed to the PIC ML.

Looking at the message from my server that you sent, it's not the DKIM
sig that's causing it, it's a message from my Domain Key verification
daemon. Since that software is old and not maintained any more, I've
removed it from my sendmail. So you should at least stop getting that

However, It's not a configuration error on anybody's part, it's just a
notice (likely) that the verification of your signature isn't matching
what's in the email headers. This almost certainly because the
mailing list software that MIT uses changes one of the signed headers,
likely the Subject field.

> I'm not too familiar with DomainKeys and DKIM, but from what I read,
> this shouldn't be happening ;)

We'll step through it and show you why it is.

Your message included these two headers. Note how they both use the
same selector (s= field) and both signed the subject header.

> DomainKey-Signature: a=rsa-sha1; c=nofws;; h=date:from:to
>        :subject:message-id:in-reply-to:references:mime-version
>        :content-type:content-transfer-encoding; q=dns;;
>        b=e4AZ/MNt5E3MvSIcXy3cHXbRMJ+kVQDNaf5MjnmrTOjx3OkXPgTNB5b6XIOi/
>        Y1CstgJ2BoY5FtykqWZmI6S4v0j2v6u/vpCvKnrA6/iZzZQfPNDNE4ubF3kuG3u3
>        X36ld+EnoIaA0rSLOwN+ZzSz6nHRTCU2yEPyPp6Y4TrAts=
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date:from
>        :to:subject:message-id:in-reply-to:references:mime-version
>        :content-type:content-transfer-encoding;; bh=nbsD
>        X9qScq9bOo+7s/pvLutFbzQ=; b=TW36dnp9e0kysNRDRAuWfHGCpJTg2scBJNCE
>        TirSuz3viCwoLiLG2+UKohbX1Ks1WAvcbwIfr8DwSkHpxfZGDRE5n7Ze79D5QixU
>        810JtxkJ0Ex8OARaT1MG5Ak2bilR1ecp6s9xl+bvJKrLgl+IvOIRqD1eszKCHTvL
>        0tR7Owg=

Now we look up your information in dns:

# dig +short -t txt
# dig +short -t txt
"k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8K7UjR0rGjI4tib7+acHv+hWru/ms+BDW82j3XH3HTfBkI2IMYkTv/A0cuODgcMV2XoGRr5m4EnKMeTrU+irP42PmEJt+/3pugSa/x6Z37yc53GXzU3b3ARi6PGDBSOo1gF0LLZUNAeCbqvOogOVwGCq4qLTNAA8dYqlRxnbFlQIDAQAB"

The first line is a policy line, and from RFC 4870 (for domain keys,
not DKIM), the r= means:
    r = A reporting email address. If present, this defines the email
          address where invalid verification results are reported.

Since your domainkey signature fails, my daemon was sending you a
report saying that it failed (though it didn't have anything more to
report other than "it failed") because your policy line specifies an
email address to send it to.

Again, I have removed the domainkey milter from my system, so if you
still get any emails from my server, it should reference dkim, not
domain keys.
Regards...      Todd
I seek the is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius
Received on Mon Dec 20 2010 - 15:54:23 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:50 PST