Problem signing MultipleSignatures from LDAP

From: Patrick Ben Koetter <>
Date: Mon, 21 Nov 2011 12:27:16 +0100

I am having trouble with "bad identity" signatures for sender signatures, but
not for domain level signatures.

To me the obvious problem which breaks identification is an "_at_", which is
added before the actual mail address in the header.i= section:

Authentication-Results: (amavisd-new); dkim=softfail (invalid, bad identity)

This is not the case when I sign at domain level:

Authentication-Results: (amavisd-new); dkim=pass

Identifiers, Selectors and Keys are retrieved from an LDAP backend. The
identifiers are noted as fqdn mail address and subdomain:

I believe this complies with openDKIMs selection algorithm as documented in

        For all other database types, the full user_at_host is checked first,
        then simply host, then user_at_.domain (with all superdomains checked
        in sequence, so "" would first check
        "", then "", then ""),
        then .domain, then user_at_*, and finally *.

Could it be openDKIM erroneously always adds an "_at_"? I tried with as Indentifier and ended up with two @@s:

This is as far as I went. Anything beyond would be pure speculation.

Anyone with an idea what I could be doing wrong?


I am using opendkim-2.5.0 Beta 2 and didn't test other versions.

state of mind ()
Digitale Kommunikation
Franziskanerstraße 15      Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666
Amtsgericht München        Partnerschaftsregister PR 563
Received on Mon Nov 21 2011 - 11:27:37 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:21 PST