[pfx] Re: What does dkim=pass (2048-bit key; unprotected) mean?

Waldo Nell via Postfix-users Sat, 08 Mar 2025 12:13:33 -0800

dig +dnssec any hs1._domainkey.transactional.hubspotemail.net 
<http://domainkey.transactional.hubspotemail.net/>


Produces:

;; ANSWER SECTION:
hs1._domainkey.transactional.hubspotemail.net. 1800 IN TXT 
"k=rsa;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0DwbY9ubc2mwnm+Tam8icCWOM8C8kka4TRUUkngYipA2TYGo1cPCBijLbHdn8JUhcOUwaYDhAfIRWg13hyH97OxBji866nkBvzR7L+MuATa3+rInWblj2YfwNHli0Gy43J6sMg3f1OZBy1dzDchWORe4RRPeVAQDnJbI04XLzF5d2yNFB2NiIbA8eJMGJJuoQUep"
 
"TLK3kc6WQqeh8+WLLdTZqyvFpIfM9UBOUtdu2D3mjNvVFfRDC/4n1X/koZZDgnEv3HW16iKbUmDZ2ohvaM/PaQQgHCcYS+/86Mb3ZaiqJiMgFKPqD2skyLdepdoeoBTLYZqBgCF0LWhHGHeTQIDAQAB"

hs1._domainkey.transactional.hubspotemail.net. 1800 IN RRSIG TXT 13 5 1800 
20250309211154 20250307191154 34505 hubspotemail.net. 
5WQcmQ1wGZiUfqG/HdIOs7mQlaF0EU2XwTECJJYXJ4eIhNKGmkNA/hxQ 
rZtYbERU0lh4wDBPGaceBYj8qBruUw==

So that is then why I get  secure below:

dkim=pass (2048-bit key; secure) header.d=DOMAIN2 header.i=@DOMAIN2 
header.a=rsa-sha256 header.s=hs1 header.b=IrJ0eBW4;

given DOMAIN2 = transactional.hubspotemail.net 
<http://transactional.hubspotemail.net/>


My DOMAIN3 is DNSSEC signed, but like you said it is a CNAME to HubSpot:

DOMAIN3.hs01b.dkim.hubspotemail.net.

And that is just a TXT record with no RRSIG:

dig +dnssec txt DOMAIN3.hs01b.dkim.hubspotemail.net.

DOMAIN3.hs01b.dkim.hubspotemail.net. 1624 IN TXT        "k=rsa;t=s;p=XXXXXXXXXX"

Thanks for the explanation.  It makes sense now.

- Waldo

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: What does dkim=pass (2048-bit key; unprotected) mean?

Reply via email to