I Think the cause of this is due to wildcards. To protect your domain from a crook who spoofs subdomains, you simply put a wildcard, so for example *.sebbe.eu is a SPF record. You can also extend this to *.*.sebbe,eu and so on. And if the wildcard matches, you will get a "spurious" SPF record with your DKIM lookup.
So any record that doesn't start with "v=DKIM1" should Always be skipped! However, an record that does start with v=DKIM1 but contains syntaxically invalid data, should of course be regarded as invalid. I did an attempt and it seems that the DNS server fohrmann.com responds identically to Everything, basically a "catchall" DNS server. I did the following: root@linuxlite-desktop:/var/log/exim4# dig +short AAAA has.this.server.wildcarded.everything.fohrmann.com 2a00:1158:1000:407::cd root@linuxlite-desktop:/var/log/exim4# dig +short A has.this.server.wildcarded.everything.fohrmann.com 134.119.2.205 root@linuxlite-desktop:/var/log/exim4# dig +short TXT has.this.server.wildcarded.everything.fohrmann.com "v=spf1 mx a include:spf.nl2go.com -all" "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOicsJWjGF90epzxL+IpdHMLCrPTdUpWhYV6o6LgIhidD1DdofDGxqkCZ671sdwh4drVtIMHn6Ojm1uabRYoa3QeiHJ5Sz90X3KMKH6z4GI3h4y9+2Ov9g7aQ7VCYuKxcRCD7ZGKUhiBcFZZkU+cRlx1pdFPkX8+AXM19JbJKcQIDAQAB;" root@linuxlite-desktop:/var/log/exim4# 2017-12-03 8:45 GMT+01:00 Torsten Tributh via Exim-users <[email protected]>: > Hi, > in the last weeks, i see an increasing amount of DKIM errors, > mentioning an (pubkey_dns_syntax) error. > > Here is just a single sample: > 2017-12-02 20:10:15.090 [23827] 1eLDB0-0006CJ-W4 DKIM: d=fohrmann.com > s=newsletter2go c=simple/simple a=rsa-sha256 b=1024 [invalid - syntax > error in public key record] > > When checking the DKIM-key by hand: > > dig +short TXT newsletter2go._domainkey.fohrmann.com > "v=spf1 mx a include:spf.nl2go.com -all" > "v=DKIM1; k=rsa; > p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOicsJWjGF90epzxL+IpdHMLCrPTdUpWhYV6o6LgIhidD1DdofDGxqkCZ671sdwh4drVtIMHn6Ojm1uabRYoa3QeiHJ5Sz90X3KMKH6z4GI3h4y9+2Ov9g7aQ7VCYuKxcRCD7ZGKUhiBcFZZkU+cRlx1pdFPkX8+AXM19JbJKcQIDAQAB;" > > it turned out, that their is beside the DKIM-key an extra SPF-record. > Could that be the reason for the "(pubkey_dns_syntax)" in the log? > When i look "only" at the DKIM-key it looks correct. > > Is that an error, getting confused from extra DNS settings in DKIM-Key > checking, or should we blame the persons, who start to put > SPF-records in unusual places? > > Kind regards Torsten > > > -- > Torsten > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
