report from google relate to failed dkim

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

report from google relate to failed dkim

Poliman - Serwis
I configured yesterday spf, dkim, dmarc for example.com. Today I got report in xml on my mailbox. Attached. One from addresses has dkim failed - marked in orange. What that means and how to fix it? I use ubuntu 16.04 lts and postfix:

root@s1:~# postconf | grep version
disable_mime_output_conversion = no
mail_version = 3.1.0

--
Pozdrawiam / Best Regards
Piotr Bracha

google report.xml (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Dominic Raferd
On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]> wrote:
> I configured yesterday spf, dkim, dmarc for example.com. Today I got report
> in xml on my mailbox. Attached. One from addresses has dkim failed - marked
> in orange...

This is a DMARC report from Gmail and so a more appropriate place to
ask about it is the opendmarc mailing list
http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The
google link within the report that you attached gives a bit more
information. The report says that Gmail received one email purporting
to be from your domain, it passed the spf test and failed the dkim
test. If you are confident that this was a legitimate email (it came
from or via 200.150.100.50, unless you obfuscated this), then either
there is a problem with your dkim setup or this email bypassed it
entirely.

DMARC reports from mail providers are very useful in checking for
problems with spf/dkim/dmarc before one moves to p=reject. Consider
using one of the services that receive and collate these reports for
you, it makes them easier to understand.
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

lists@lazygranch.com
On Wed, 27 Dec 2017 09:37:24 +0000
Dominic Raferd <[hidden email]> wrote:

> On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]>
> wrote:
> > I configured yesterday spf, dkim, dmarc for example.com. Today I
> > got report in xml on my mailbox. Attached. One from addresses has
> > dkim failed - marked in orange...  
>
> This is a DMARC report from Gmail and so a more appropriate place to
> ask about it is the opendmarc mailing list
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The
> google link within the report that you attached gives a bit more
> information. The report says that Gmail received one email purporting
> to be from your domain, it passed the spf test and failed the dkim
> test. If you are confident that this was a legitimate email (it came
> from or via 200.150.100.50, unless you obfuscated this), then either
> there is a problem with your dkim setup or this email bypassed it
> entirely.
>
> DMARC reports from mail providers are very useful in checking for
> problems with spf/dkim/dmarc before one moves to p=reject. Consider
> using one of the services that receive and collate these reports for
> you, it makes them easier to understand.

I decided not to set up DMARC on my new server since the logs are
pretty overwhelming. What service would you suggest?

BTW the OP should use this to verify the setup:
http://dkimvalidator.com/

There are a bunch of similar services, but I like the output on this
one.

I had some spammer try to spoof my email address and got a bounced
message because my they used my email address in the return. That was
a SPF rejection, but still nice to see the system working.
 

Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Juri Haberland
In reply to this post by Poliman - Serwis
On 27.12.2017 08:22, Poliman - Serwis wrote:
> I configured yesterday spf, dkim, dmarc for example.com. Today I got report
> in xml on my mailbox. Attached. One from addresses has dkim failed - marked
> in orange. What that means and how to fix it? I use ubuntu 16.04 lts and
> postfix:

Judging from the Google DMARC report I'd say that the server at
200.150.100.50 does not add a DKIM signature the outgoing mails - you need
to fix this.


 Juri
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Dominic Raferd
In reply to this post by lists@lazygranch.com
On 27 December 2017 at 10:06, [hidden email] <[hidden email]> wrote:
> On Wed, 27 Dec 2017 09:37:24 +0000
> Dominic Raferd <[hidden email]> wrote:
>> ... DMARC reports from mail providers are very useful in checking for
>> problems with spf/dkim/dmarc before one moves to p=reject. Consider
>> using one of the services that receive and collate these reports for
>> you, it makes them easier to understand.
>
> I decided not to set up DMARC on my new server since the logs are
> pretty overwhelming. What service would you suggest?

I currently use http://dmarc.postmarkapp.com/ - you receive weekly
emails summarising the data, and it's free.
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Poliman - Serwis
In reply to this post by Dominic Raferd
All is clear but how setup dmarc per IP address of the server if dmarc is based on spf and dkim which are based on particular domain?

2017-12-27 10:37 GMT+01:00 Dominic Raferd <[hidden email]>:
On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]> wrote:
> I configured yesterday spf, dkim, dmarc for example.com. Today I got report
> in xml on my mailbox. Attached. One from addresses has dkim failed - marked
> in orange...

This is a DMARC report from Gmail and so a more appropriate place to
ask about it is the opendmarc mailing list
http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The
google link within the report that you attached gives a bit more
information. The report says that Gmail received one email purporting
to be from your domain, it passed the spf test and failed the dkim
test. If you are confident that this was a legitimate email (it came
from or via 200.150.100.50, unless you obfuscated this), then either
there is a problem with your dkim setup or this email bypassed it
entirely.

DMARC reports from mail providers are very useful in checking for
problems with spf/dkim/dmarc before one moves to p=reject. Consider
using one of the services that receive and collate these reports for
you, it makes them easier to understand.



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Poliman - Serwis
For particular domain from report dkim works well. I checked it here http://dkimcore.org/c/keycheck. Mails from this domain are sent by s1.domain.net server. Should be dkim configured for domain name of the server which corresponds to IP mentioned earlier?

2017-12-28 7:46 GMT+01:00 Poliman - Serwis <[hidden email]>:
All is clear but how setup dmarc per IP address of the server if dmarc is based on spf and dkim which are based on particular domain?

2017-12-27 10:37 GMT+01:00 Dominic Raferd <[hidden email]>:
On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]> wrote:
> I configured yesterday spf, dkim, dmarc for example.com. Today I got report
> in xml on my mailbox. Attached. One from addresses has dkim failed - marked
> in orange...

This is a DMARC report from Gmail and so a more appropriate place to
ask about it is the opendmarc mailing list
http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The
google link within the report that you attached gives a bit more
information. The report says that Gmail received one email purporting
to be from your domain, it passed the spf test and failed the dkim
test. If you are confident that this was a legitimate email (it came
from or via 200.150.100.50, unless you obfuscated this), then either
there is a problem with your dkim setup or this email bypassed it
entirely.

DMARC reports from mail providers are very useful in checking for
problems with spf/dkim/dmarc before one moves to p=reject. Consider
using one of the services that receive and collate these reports for
you, it makes them easier to understand.



--
Pozdrawiam / Best Regards
Piotr Bracha



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Dominic Raferd
Please bottom post on this list (and see below)

On 28 December 2017 at 07:05, Poliman - Serwis <[hidden email]> wrote:

> For particular domain from report dkim works well. I checked it here
> http://dkimcore.org/c/keycheck. Mails from this domain are sent by
> s1.domain.net server. Should be dkim configured for domain name of the
> server which corresponds to IP mentioned earlier?
>
> 2017-12-28 7:46 GMT+01:00 Poliman - Serwis <[hidden email]>:
>>
>> All is clear but how setup dmarc per IP address of the server if dmarc is
>> based on spf and dkim which are based on particular domain?
>>
>> 2017-12-27 10:37 GMT+01:00 Dominic Raferd <[hidden email]>:
>>>
>>> On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]> wrote:
>>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got
>>> > report
>>> > in xml on my mailbox. Attached. One from addresses has dkim failed -
>>> > marked
>>> > in orange...

Setting spf should not be necessary if you are setting a dkim header
correctly in all the outgoing emails for the domain in question.
Indeed I would go further and say that setting an spf DNS record for
your domain is inadvisable when testing dmarc because it can mask
underlying dkim problems.

In order to pass dmarc alignment testing, opendkim needs to insert
into the outgoing email a dkim header with a signing domain (d=)
matching the domain in the internal 'From:' header. The server name or
ip that it has come from is irrelevant for dkim.

If your mail passes dkim check-summing and dkim alignment when tested
at its destination for dmarc, it will pass overall regardless of any
spf (and vice versa).
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Poliman - Serwis
But "signing domain" and domain in "From" will never be matched. Server has own domain s1.domain.net. On this server are hosted few websites. These have another domains than the server fqdn. In report from google I see fail in dkim row but for IP of the server. I don't know why there is IP not fqdn.

2017-12-28 8:44 GMT+01:00 Dominic Raferd <[hidden email]>:
Please bottom post on this list (and see below)

On 28 December 2017 at 07:05, Poliman - Serwis <[hidden email]> wrote:
> For particular domain from report dkim works well. I checked it here
> http://dkimcore.org/c/keycheck. Mails from this domain are sent by
> s1.domain.net server. Should be dkim configured for domain name of the
> server which corresponds to IP mentioned earlier?
>
> 2017-12-28 7:46 GMT+01:00 Poliman - Serwis <[hidden email]>:
>>
>> All is clear but how setup dmarc per IP address of the server if dmarc is
>> based on spf and dkim which are based on particular domain?
>>
>> 2017-12-27 10:37 GMT+01:00 Dominic Raferd <[hidden email]>:
>>>
>>> On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]> wrote:
>>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got
>>> > report
>>> > in xml on my mailbox. Attached. One from addresses has dkim failed -
>>> > marked
>>> > in orange...

Setting spf should not be necessary if you are setting a dkim header
correctly in all the outgoing emails for the domain in question.
Indeed I would go further and say that setting an spf DNS record for
your domain is inadvisable when testing dmarc because it can mask
underlying dkim problems.

In order to pass dmarc alignment testing, opendkim needs to insert
into the outgoing email a dkim header with a signing domain (d=)
matching the domain in the internal 'From:' header. The server name or
ip that it has come from is irrelevant for dkim.

If your mail passes dkim check-summing and dkim alignment when tested
at its destination for dmarc, it will pass overall regardless of any
spf (and vice versa).



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: report from google relate to failed dkim

Dominic Raferd
You are still top-posting please don't... See bottom for my reply...

On 29 December 2017 at 06:21, Poliman - Serwis <[hidden email]> wrote:

> But "signing domain" and domain in "From" will never be matched. Server has
> own domain s1.domain.net. On this server are hosted few websites. These have
> another domains than the server fqdn. In report from google I see fail in
> dkim row but for IP of the server. I don't know why there is IP not fqdn.
>
> 2017-12-28 8:44 GMT+01:00 Dominic Raferd <[hidden email]>:
>>
>> Please bottom post on this list (and see below)
>>
>> On 28 December 2017 at 07:05, Poliman - Serwis <[hidden email]> wrote:
>> > For particular domain from report dkim works well. I checked it here
>> > http://dkimcore.org/c/keycheck. Mails from this domain are sent by
>> > s1.domain.net server. Should be dkim configured for domain name of the
>> > server which corresponds to IP mentioned earlier?
>> >
>> > 2017-12-28 7:46 GMT+01:00 Poliman - Serwis <[hidden email]>:
>> >>
>> >> All is clear but how setup dmarc per IP address of the server if dmarc
>> >> is
>> >> based on spf and dkim which are based on particular domain?
>> >>
>> >> 2017-12-27 10:37 GMT+01:00 Dominic Raferd <[hidden email]>:
>> >>>
>> >>> On 27 December 2017 at 07:22, Poliman - Serwis <[hidden email]>
>> >>> wrote:
>> >>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got
>> >>> > report
>> >>> > in xml on my mailbox. Attached. One from addresses has dkim failed -
>> >>> > marked
>> >>> > in orange...
>>
>> Setting spf should not be necessary if you are setting a dkim header
>> correctly in all the outgoing emails for the domain in question.
>> Indeed I would go further and say that setting an spf DNS record for
>> your domain is inadvisable when testing dmarc because it can mask
>> underlying dkim problems.
>>
>> In order to pass dmarc alignment testing, opendkim needs to insert
>> into the outgoing email a dkim header with a signing domain (d=)
>> matching the domain in the internal 'From:' header. The server name or
>> ip that it has come from is irrelevant for dkim.
>>
>> If your mail passes dkim check-summing and dkim alignment when tested
>> at its destination for dmarc, it will pass overall regardless of any
>> spf (and vice versa).

There is no connection between ip/fqdn of the server and the signing
domain for DKIM - see man opendkim. You set all the domains for which
you want emails signed rather than verified in the 'Domain' setting in
/etc/opendkim.conf e.g.

Domain mydomain1.tld,mydomain2.tld,mydomain3.tld

Use KeyFile to give the location of the file containing the private
key to be used with all domains - and the matching public key must be
published in their DNS.

If you want to have different keys for different domains, use
KeyTable/SigningTable rather than Domain/KeyFile - I haven't tried
this. Refer to man opendkim.conf for more information.

(Apologies to anyone who feels that the postfix mailing list is not
the appropriate place to try to answer (or ask) these questions, there
doesn't seem to be an opendkim mailing list...)