Re: opendkim-genkey and "r=" tag

From: Giovanni Bajo <>
Date: Fri, 26 Aug 2011 00:25:47 +0200

Il giorno 25/ago/2011, alle ore 20:08, Murray S. Kucherawy ha scritto:
>> -----Original Message-----
>> From: [] On Behalf Of SM
>> Sent: Thursday, August 25, 2011 10:19 AM
>> To: Giovanni Bajo
>> Cc:
>> Subject: Re: opendkim-genkey and "r=" tag
>>> DKIM specification (
>>> RFC4871 says in
>>>> If the result returned from the query does not adhere to the
>>>> format defined in this specification, the verifier MUST ignore
>>>> the key record and return PERMFAIL (key syntax error). Verifiers
>>>> are urged to validate the syntax of key records carefully to
>>>> avoid attempted attacks. In particular, the verifier MUST ignore
>>>> keys with a version code ("v=" tag) that they do not implement.
>>> To the best of my understanding, this means that
>>> verifiers adhering to RFC4871 MUST return
>>> PERMFAIL when presented DNS records as produced
>>> by opendkim-genkey by default.
> That's not correct. The syntax referred to here is the "tag=value;" list style, and the output of opendkim-genkey conforms to that syntax. Section 3.6.1 of RFC4871 allows for unknown tags:
> The overall syntax is a tag-list as described in Section 3.2. The
> current valid tags are described below. Other tags MAY be present
> and MUST be ignored by any implementation that does not understand
> them.
> Their presence doesn't break the syntax.

Thanks for the clarification.

>>> In fact, the
>>> gmail verifier does this (as can be inferred by
>>> the header Authentication-Results added by the GMail smtp system).
> Not true. The public key record at contains "r=" and "rs=" tags, and Gmail validates it just fine:
> Authentication-Results:; spf=pass ( domain of designates as permitted sender); dkim=pass (test mode)
> What error are you getting when you try?

Uhm I was getting "dkim=failed (invalid format)" and the error disappeared when I removed the "r=" tag. But I cannot reproduce this anymore, so I now believe I was simply confused by DNS propagation times while doing several tests.

BTW, these are the headers I get on an e-mail that was sent by my address, to a mailing-list, and then bounced to my address at They look correct to me, with the double signature, but I'd love a double-check:

Received: by with SMTP id v6cs14430pbm;
        Thu, 25 Aug 2011 15:14:50 -0700 (PDT)
Received: by with SMTP id b27mr261724wbb.24.1314310489006;
        Thu, 25 Aug 2011 15:14:49 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id fi20si2760527wbb.11.2011.;
        Thu, 25 Aug 2011 15:14:47 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender); dkim=pass
Received: from (trinity.trilan [])
        by (Postfix) with ESMTP id 483DF621EF7;
        Fri, 26 Aug 2011 00:14:47 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
        s=eolo; t=1314310487;
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.97 at
Received: from [] (
 []) (Authenticated sender: rasky)
 by (Postfix) with ESMTPSA id 35703621EF7
 for <>; Fri, 26 Aug 2011 00:14:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
 s=gongolo; t=1314310485;
From: Giovanni Bajo <>
Date: Fri, 26 Aug 2011 00:14:43 +0200
Message-Id: <>
Mime-Version: 1.0 (Apple Message framework v1244.3)
X-Mailer: Apple Mail (2.1244.3)
Subject: [Depura] test
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <>
List-Unsubscribe: <>,
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>,
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

For the double signing, we simply configured dkim with "SenderHeaders Sender,From", giving precedence to Sender when available (so that it picks up the mailing-list in the bounces). I've seen the Resign* options in opendkim.conf but I'm not sure how they are an improvement over our current setup. Can somebody clarify this maybe?

Giovanni Bajo   ::
Develer S.r.l.  ::
My Blog:
Received on Thu Aug 25 2011 - 22:25:59 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST