opendkim, "insecure key", dnssec lookups?

From: Andreas Olsson <>
Date: Wed, 25 Sep 2013 21:02:05 +0200


I'm setting up a new mail server, where I'm using opendkim to validate
dkim signatures on incoming mail. Noticed something in the added
Authentication-Results header, which made me wonder.

  Authentication-Results:; dkim=pass
          reason="2048-bit key; insecure key"
          dkim-adsp=pass; dkim-atps=neutral

The "insecure key" part being what I'm wondering about.

From what I have understood that is due to a lack of DNSSEC validation
of the public key?

The thing is that the zone is signed by DNSSEC, and the mail
server in question uses a DNSSEC capable resolver. If I run the command
below in a shell on the mail server I will get a response including the
ad flag.

  dig +dnssec TXT

Any chance that opendkim for some reason fails to do a DNSSEC lookup due
to some missing library/package? If so, any suggestion on how to debug
that, or what (missing) libraries to look for?

I'm running opendkim 2.6.8, under Debian 7.0

opendkim is called from postfix, using (non_)smtpd_milters.

In case it matters, I'm attaching below a full example mail.

// Andreas

  Return-Path: <>
  Delivered-To: <>
  Received: from
          by (Dovecot) with LMTP id ybzjCAUvQ1IJbQAAKVq6IQ
          for <>; Wed, 25 Sep 2013 18:44:21 +0000
  Received: from ( [IPv6:2001:ba8:1f1:f1d1::2])
          (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits))
          (No client certificate requested)
          by (Postfix) with ESMTPS id 0B2491E7
          for <>; Wed, 25 Sep 2013 18:44:20 +0000 (UTC)
  Authentication-Results:; dkim=pass
          reason="2048-bit key; insecure key"
          dkim-adsp=pass; dkim-atps=neutral
  Received: by (Postfix, from userid 1000)
          id BBF2A2007F; Wed, 25 Sep 2013 18:44:19 +0000 (UTC)
  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
          s=halleck; t=1380134659;
  Subject: dkimtest
  Message-Id: <>
  Date: Wed, 25 Sep 2013 18:44:19 +0000 (UTC)
  From: (Andreas Olsson)
  blah blah

Received on Wed Sep 25 2013 - 19:02:24 PST

This archive was generated by hypermail 2.3.0 : Wed Sep 25 2013 - 19:09:01 PST