When TXT selector._domainkey… is missing, OpenDKIM still adds AR-header

From: Дилян Палаузов <dilyan.palauzov_at_aegee.org>
Date: Fri, 01 Feb 2019 20:33:55 +0000


> The DKIM-Signature suggests obtaining the DNS TXT record selector1._domainkey.doccs.ny.gov , but this record does not
> exist, so OpenDKIM cannot validate DKIM-Signature.

Right now DNS TXT selector1._domainkey.doccs.ny.gov does exist. I don’t know what happened earlier, I was not able to
retrieve the record.

In any case, for this simple message:

From: <m2aieium_at_doccs.ny.gov>
Date: Thu, 31 Jan 2019 23:07:10 +0000
Subject: A D K T200
Message-Id: <eaiti2u_at_eiau>
To: ****_at_aegee.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

A B C 99200

DNS TXT selector200._domainkey.doccs.ny.gov does not exist, and on my system OpenDKIM adds:

Authentication-Results: mail.aegee.org/x11KMGTC013169; dkim=fail
 reason="key not found in DNS" header.d=doccs.ny.gov header.i=_at_doccs.ny.gov
 header.a=rsa-sha256 header.s=selector200 header.b=0M3G0N6Y

So my assumption, that OpenDKIM forgets inserting AR header, when the key is missing from DNS, was not verified. Why
there is no AR-header from OpenDKIM in your sample I cannot say, but this is significant.

OpenDKIM behaves correctly even if the non-existent domain blub.ny.gov is used.

Received on Fri Feb 01 2019 - 20:34:26 PST

This archive was generated by hypermail 2.3.0 : Sat Feb 02 2019 - 06:00:00 PST