Re: Who manages the account?

From: Erik Logtenberg <>
Date: Wed, 26 Mar 2014 20:25:25 +0100


Your signature checked out fine:

Authentication-Results:; dkim=pass
        reason="1024-bit key; unprotected key" header.b=rSxxKKaJ;

I also saw the "z=" tag you were talking about. It's quite a big tag.

The signature added by the mailinglist also checks out. It doesn't have
the "z=" tag.

Authentication-Results:; dkim=pass
        reason="1024-bit key; unprotected key"
        header.b=C5A51KxC; dkim-adsp=pass

By the way, I tried the sa-test twice, and got different results:

Authentication-Results:; dkim=neutral
        reason="verification failed; unprotected key/testing" header.b=ArMNgf/0;
        dkim-adsp=none (unprotected policy)

Authentication-Results:; dkim=pass
        reason="1024-bit key; unprotected key/testing" header.b=e1p3zywM;

Indeed sa-test runs an OpenDKIM version that calls itself OpenDKIM Filter:

DKIM-Filter: OpenDKIM Filter v2.8.3 s2LGemhS064713

I am running OpenDKIM 2.9.0 on my mailserver.

Kind regards,


On 03/26/2014 06:17 PM, Murray S. Kucherawy wrote:
> On Tue, 25 Mar 2014, Erik Logtenberg wrote:
>> I did however find that sa-test also uses DKIM to sign their
>> autoresponse message, and according to my mailserver their signature
>> didn't check out. Now I don't know how to manually check a DKIM
>> signature, so I can't figure out if the error is on my side or theirs.
>> Anyway, I don't think you can really configure much about the DKIM
>> checking, apart from enabling or disabling it altogether. So that's
>> what I'd like to ask them.
> They're running a pretty old version of opendkim (back when it was known
> as dkim-filter), so I can explain some stuff.
> Generally speaking the only way to figure out what's breaking a
> signature is to get both sides to capture the exact data they
> signed/verified and compare them. Their code is configured to send you
> that information when your message fails to verify, but when their reply
> fails you don't have that information.
> Their code might also be configured to include in their response
> signature a "z=" tag. You could at least use that to see if the header
> is being changed in a way that breaks the signature, but you wouldn't be
> able to tell if the body changed.
> Let me know if this message's signature verifies. If it doesn't, we can
> start down the debugging path. Note that you will probably get two
> copies, one from the list and one from me directly; check the latter.
> -MSK
Received on Wed Mar 26 2014 - 19:25:38 PST

This archive was generated by hypermail 2.3.0 : Wed Mar 26 2014 - 19:27:02 PST