Re: DKIM hardfail (with eg. google or test sites)

From: Matthias Weiss <>
Date: Fri, 15 Mar 2013 19:24:29 +0100

> Chances are this is what's happening:
> 1) you generate a message missing a Sender field (or both) and pass it to
> your MTA
> 2) the message is handed to opendkim for signing as-is
> 3) because you used AlwaysSignHeaders, opendkim includes them in the
> signature anyway, which causes a signature to be generated that will fail
> if someone else adds them
> 4) your MTA then adds the missing fields
> 5) the message arrives at Gmail (or wherever), and the verification fails
> because of the above
> So you could either do what you did and don't force those header field
> names into the signature even if the fields are missing, or change your
> message generator so that it includes them in what's passed to the MTA.
> If you want Sender and Message-ID to be signed if they're present, use
> "SignHeaders" instead of "AlwaysSignHeaders".

Murray, there has to be something else going on. The reason is this, I can
send a test mail via command line like this:

sendmail -f -i -t <<EOF
Subject: Test


That means the "Sender:" field will be part of the message in any case. Still
it's missing in the "z=..." header entry.

So if opendkim will use all header fields that it gets than this means postfix
is not giving opendkim all header fields.
I tried to verify this by switching on verbose logging for the "cleanup" and
"trivial-rewrite" processes of postfix, but I have to admit that I don't see
anything usefull in the logs.

If anyone has an idea why postfix is omitting header fields I'd be happy to
hear it. Otherwise I'll ask the postfix guys...

Received on Fri Mar 15 2013 - 18:24:47 PST

This archive was generated by hypermail 2.3.0 : Fri Mar 15 2013 - 18:27:02 PST