Re: DKIM hardfail (with eg. google or test sites)

From: Matthias Weiss <>
Date: Fri, 15 Mar 2013 16:45:06 +0100

> But something else caught my eye, I set the header fields to be signed in
> opendkim.conf as
> AlwaysSignHeaders To,Subject,MIME-Version,Content-
> Type,Sender,From,Message-Id,Date,Reply-To,List-Unsubscribe
> In the z= header the "Message-Id" and "Sender" fields are missing. Could
> that be a reason?

turned out that this is the reason: I removed Sender and Message-Id from the
AlwaysSignHeaders parameter and now it passes Googles DKIM checks.

Which of course leads me to the question why the message-id and the sender
fields are added to the mail after OpenDKIM signed the mail? I paste here the

AlwaysSignHeaders To,Subject,MIME-Version,Content-Type,From,Date,Reply-
Canonicalization relaxed/relaxed
DomainKeysCompat true
KeyTable refile:/etc/opendkim/key_table
LogWhy yes
PidFile /var/run/opendkim/
Selector mail
SendReports yes
SigningTable refile:/etc/opendkim/signing_table
Socket unix:/var/spool/postfix/milter/opendkim
Statistics /var/lib/opendkim/stats.dat
Syslog yes
SyslogSuccess yes
UMask 007
UserID milter

We're sending out mail with the postfix sendmail command. The test mails I
sent to gmail had the "Sender" field set on the command line.

In our postfix we have:

smtpd_milters = unix:/var/spool/postfix/milter/opendkim

non_smtpd_milters = unix:/var/spool/postfix/milter/opendkim

Does anything catch your eye?

Received on Fri Mar 15 2013 - 15:45:22 PST

This archive was generated by hypermail 2.3.0 : Fri Mar 15 2013 - 15:54:02 PST