Re: DKIM hardfail (with eg. google or test sites)

From: Scott Kitterman <>
Date: Fri, 15 Mar 2013 10:00:53 -0400

On Friday, March 15, 2013 06:34:15 AM Murray S. Kucherawy wrote:
> On Fri, 15 Mar 2013, Matthias Weiss wrote:
> > We configured our mail server (postfix) to use OpenDKIM about 1 year ago
> > and it was working flawlessly.
> >
> > Today I discovered that our mail signing with OpenDKIM isn't working any
> > more, it fails at Google Mail but also with email test sites.
> >
> > Since last year our mail server setup wasn't changed in any significant
> > way, e.g. I tweaked the bounce queue settings in postfix a bit, but no
> > major changes in our setup. The opendkim setup remained unchanged. We
> > did some software updates for postfix and opendkim, but that's it. Our
> > current versions are postfix 2.9.5 opendkim-2.6.7-r1
> >
> > Can anyone suggest a strategy how I can find out why our headers get
> > signed
> > wrongly suddenly?
> I can't think of anything changed up to 2.6.7 that would explain a sudden
> failure like this. Since you can't get debugging information out of
> Gmail, the first suggestion I have is to turn on Diagnostics, send a
> message to them, and then observe what might have changed between signing
> by looking at the "z=" value compared with the header fields you can see
> once the mail gets delivered to Gmail.
> You should also read DEBUG FEATURES in opendkim/README for some hints
> about what to try in terms of capturing debugging data. That section is
> in need of work because there are other debug tools available to you, but
> that's a decent starting point. If you're still stuck after checking
> those things, let us know and I can provide some more suggestions.

2.6.7 is before the changes relative to warning about small keys. It might be
that the OP is using a key that is smaller than Google is now willing to

Scott K
Received on Fri Mar 15 2013 - 14:01:09 PST

This archive was generated by hypermail 2.3.0 : Fri Mar 15 2013 - 14:09:02 PST