opendkim – Postfix from rewriting (smtp_generic_maps) + DKIM

We have SMTP server for the application emails what should do following:

  1. change “From” for all emails
  2. sign emails with DKIM

I have set up postfix rewriting with smtp_generic.

The default flow is like that:

  1. Email comes to postfix
  2. OpenDKIM will sign it
  3. smtp_generic_maps will change the header
  4. email will be delivered

The problem: by default setup smtp_generic_maps will overwrite the DKIM header.

Any suggestion? Examples, how change order? Master.cf examples are very welcome.
I imagine that one way could to createe separate postfix instances for both tasks.
One that will do the „From“ rewriting (smtp_generic_maps) and second instance will add DKIM and sent it out.

Similar issue is here, sadly no examples from master.cf file ☹

Chook posts: “I solved this problem by using the postfix advanced
filter and adding the opendkim milter on the final phase.”

Postfix generic changes causing DKIM permerror

Configuration are:

main.cf

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

opendkim.conf

PidFile /run/opendkim/opendkim.pid
Mode sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports yes
SoftwareHeader  yes
Canonicalization    relaxed/relaxed
Selector    default
MinimumKeyBits  1024
KeyTable    /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
OversignHeaders From

linux – DKIM Validating Signature, Result = Fail Details: Body Has Been Altered

I have 2 mail server,
Main Mail Server = Microsoft Exchange Server
Secondary Mail Server = Ubuntu Postfix only as SMTP Relay.
The Exchange Server is using Ubuntu Postfix SMTP as Smarthost,
And the problem is Exchange Server need to use thirdparty software to integrate with DKIM.
I used DKIM Exchange(https://github.com/Pro/dkim-exchange) as the third party software,
By following this tutorial https://colinwilson.uk/2017/07/19/setting-up-dkim-for-exchange-server/
But got a problem, when checking DKIM Signature on https://dkimvalidator.com/
I got an Error like this:

DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=default;
c=relaxed/relaxed; t=1619877233; h=from:subject:to:date:message-id;
bh=iOObCKJdXN6HiMEEGHi3hTEvUHxZe5CdQrWy7paoGeo=;
b=KHjroY6llEGwgpFXQwvTggVvN8pWkRarZfbxPMWZ3J6axLy7fngoJ7VXA/AJB9sc/N+UasENrvy
nflG8WgnKgN12Bh6VHC0xt/2M7SjtOI9CknSg3Bi0EZsYRqD5JJZqBWobNLV51sYbfT0W7KjdOkQX
i5u1sWfV4qskQKyIl48L3M9ktKyYEpZqlkr/a2iEJfVr+eMVrR8VnCbse/ccpZwEMHA5VtdWGh200
F60MITxLG0lYwZQ//RcOOjX9qTEKDxRdbRnFbvagGO7Co39bSyPw9Co6S7K+BI0tVO8Df9uV2H5ee
NqKQJQDZ50VdZLi8wQwSWCiT7gfukJUUsA1g==

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: example.com s= Selector: default
q= Protocol:
bh= iOObCKJdXN6HiMEEGHi3hTEvUHxZe5CdQrWy7paoGeo=
h= Signed Headers: from:subject:to:date:message-id
b= Data: KHjroY6llEGwgpFXQwvTggVvN8pWkRarZfbxPMWZ3J6axLy7fngoJ7VXA/AJB9sc/N+UasENrvy
nflG8WgnKgN12Bh6VHC0xt/2M7SjtOI9CknSg3Bi0EZsYRqD5JJZqBWobNLV51sYbfT0W7KjdOkQX
i5u1sWfV4qskQKyIl48L3M9ktKyYEpZqlkr/a2iEJfVr+eMVrR8VnCbse/ccpZwEMHA5VtdWGh200
F60MITxLG0lYwZQ//RcOOjX9qTEKDxRdbRnFbvagGO7Co39bSyPw9Co6S7K+BI0tVO8Df9uV2H5ee
NqKQJQDZ50VdZLi8wQwSWCiT7gfukJUUsA1g==

Public Key DNS Lookup
Building DNS Query for default._domainkey.example.com
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq4UV1gOKAQ+Gr9BmFSrGZbo3ll16g8itrrEwBckyGRYD2g+DKINm5fUYNUxn2bILpeh3AT2gJnbGydQNc7p02Hia1H/jnKDbvTfvnmcUQGHLQGYsnSgIJM3f+B5qrpyjfNufyrSr4L4YCBUr1o0KoN4p2p97iOr+MQiHY4sYIDPAcsaQ4zpAcxDmmSbtXbbBdYileN7Anpkm9ODJtNNNZzxH68jFI7ioVjInX8G1mWLKP4sxPoTa86R5C/zu97a0agXPusrCd1bWGKPxFhCUvJpFzdICUdLsVo9mEwbB12kpGrplYPgOb6B1YKn3iu/XBezv/8EIjG/N7+hAEz9C1wIDAQAB

Validating Signature
Result = fail
Details: body has been altered

Anyone have the solution for this? The DKIM Record is Valid but DKIM Signature is failing…

domain name system – Is it “safe” to remove an old DKIM record?

I have some old DKIM records from when I used a sending service that I no longer use and I’m wondering if it’s safe to remove them.

The last time an email was sent via this service was over a year ago. Is there an acceptable timeframe after which it’s ok to remove these old records, or are signatures likely to be rechecked by Exchange or some other server at a later date?

email – Why is DMARC failing when SPF and DKIM are passing?

This is complicated so here is a shot at explanation.

For DMARC to work, you need to alignment of either SPF or DKIM domains with the body from address. There are three places this matters.

  1. The body from address: quickpatents.com (5322.From)
  2. The DKIM domain: email-od.com (d=)
  3. the header.from address: emailcenterpro.com (RFC5321.MailFrom)

how many from addresses are there?

There are two – the message body and the smtp server’s MailFrom address.

See: https://dmarc.org/2016/07/how-many-from-addresses-are-there/

how they all work

you set your “from address” in the message body. In this case it’s you@quickpatents.com.

Right before your SMTP server contacts the remote SMTP server, it signs the message using DKIM, and specifies where the receiving server can find the public key to validate the DKIM. (this is the d= and s= part of the dkim signature).

then your email service sets the header.from address when it does the backend communication from your SMTP server to the recipient’s SMTP server. There is a whole handshake happening that you don’t need to worry about. (this is where it says the spf and server ip address).

an aside

It’s amazing that you can legally send email with a made up body from address, any smtp spf address, and any dkim signature. Without aligning them, they are nearly pointless for email. There is a ton of machine learning to figure out which SMTP servers to trust, and which dkim domain signatures to trust.

looking at the dmarc

jon$ dig _dmarc.quickpatents.com txt +short
"v=DMARC1;p=none;pct=100;rua=mailto:dmarc.quickpatents.com@dedicatedmanagers.com,mailto:kevin@quickpatents.com;ruf=mailto:dmarc.quickpatents.com@dedicatedmanagers.com,mailto:kevin@quickpatents.com"

This says that there is no policy specified. Have a look here:

https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

looking at the dkim

It’s looking up the signature and verifying against the dns entry.

jon$ dig dkim._domainkey.email-od.com txt +short
"k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDzpFrEAH9dbkLukLvwesHGWRDc+JCBkvzQYTpptOR+uz4brRd1V8VDPHPpQH7wRvNMhVh/LhTkPMBXtpJjeedqU2rfDlH8y81O+VweutuI4AHOfBL4PJSHNxZ1Qbw7D3+080AsoDXqphbSZXfi9wnSP5X5bcocLqW+1MwNq854wIDAQAB"

You need to host a dkim key at your domain quickpatents.com and point AWS to use it. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html

looking at the spf, these are the records looked up:

jon$ dig emailcenterpro.com txt +short
"v=spf1 include:email-od.com ~all"
jon$ dig email-od.com txt +short
"v=spf1 ip4:142.0.176.0/20 ip4:204.232.162.112/28 ip4:204.232.180.112/29 ip4:204.232.180.128/29 ip4:69.20.119.216/29 ip4:76.12.109.192/27 ip4:67.59.141.128/28 ip4:209.41.176.224/28 ip4:69.48.230.0/25 ~all"

The first ip4 is a mask that includes the smtp server ip address of 142.0.177.43, which is why SMTP passed.

You need to configure AWS to send a custom header.from that matches your sending domain, example, setup a header that maps .quickpatents.com to the AWS SMTP servers – see here for details: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html

Once they are all the same domain, dmarc will work.

email server – DKIM failure on postfix

i’m configuring dkim to sign miltiple domains with the same key on postfix , I followed this tutorial https://shankerbalan.net/blog/signing-multiple-domains-with-the-same-opendkim-key/
with s=mail , d=senderServer.com
this is the SigningTable :* mail._domainkey.senderServer.com
this is the KeyTable:
mail._domainkey.senderServer.com %:mail:/etc/opendkim/keys/default.private

My TXT DNS record is on the main domain (Server domain name) Here: senderServer.com , It works great when I send an email from senderServer.com using my FROM address as: anything@senderServer.com

The problem is with other domains using my postfix server , when I send an email using my FROM address as: anything@otherDomain.com ( i configured DKIM , DMARC and SPF on otherDomain’s DNS zone)
The DKIM signature is added but using otherDomain as the domain value tag . and the DKIM signature failed only on outlook.fr dkim=fail(signature did not verify)
But it pass on gmail(DKIM:PASS ) and on mail-tester.com i get 10/10

Email – What is the appropriate DMARC configuration for a domain that should work hard under DKIM but not work under SPF?

Messages sent from my domain are always DKIM signed and all non-messages should be immediately discarded by the recipients. However, strict enforcement of the SPF leads to problems where internal rules for forwarding emails and other implementation details lead to incorrect errors. What is a suitable constellation of SPF, DKIM and DMARC data sets to cause receiving systems to treat DKIM errors as absolute "stop delivery, it is surely spam", but SPF only as a hint?

SPF and DKIM targeting fail on some large batch emails

We send a large number of emails (hundreds of thousands) mainly for our customers. Of course, we have properly configured SPF, DKIM, and DMARC records for all domains that use us. We pass all tests with various SPF and DKIM validators, and the vast majority of emails are delivered without problems.

The problem is that there are some emails in almost every delivery where we get a DMARC error report for no apparent reason.



  1.0
  
  blabla.com
  info@blabla.com
  
  09b93d$7b9b58f=0f6353445e3e471f@ceps.cz
    
      1587247202
      1587333603
    
  
  
    issue.com
    r
    r
    

none

none 100
123.456.789.101 1 none pass fail blabla.com sender.com blabla.com k1 pass sender.com mfrom pass

This happens only with very few emails, say 1%. Most emails go by.
Any experience with it?