Nothing’s jumping out to me in your test message, other than that the mime-version header field is missing, but that’s legal.
I might suggest trying the “Develop” branch of OpenDKIM from git, as there are some changes in that which *may* fix things, or at least…give something to compare. The ecosystem of OpenDKIM right now is that a lot of maintainers are cherry-picking their patches and the project needs love. I might also suggest setting spamassassin to validate the DKIM signatures directly, just as a diagnostic — while it’s possible that something’s folding your headers in a weird way, I’d love to see that comparison. The world really needs some tool where you can capture your single message to a .mbox file and upload it for testing. Also, OpenDKIM needs to be able to log at the very least, the computed bh of a message just so you can eliminate a body mod as a reason for a sigfail. -Dan > On May 8, 2025, at 13:06, Ken Biggs via Postfix-users > <postfix-users@postfix.org> wrote: > > OpenDKIM is failing signature verification on most incoming emails. Out of > 1,146 incoming emails, 173 have been successfully verified and 973 have "bad > signature data". The failing emails include email from google, amazon, > sailthru, and many other reasonably technically capable firms that I would > expect to verify successfully. I have tested DNS lookups and have found no > issues with querying for the DKIM record. I have researched for hours trying > to find something helpful, but the few posts that aren't specifically dealing > with signing emails don't seem to address the issues I'm seeing. BTW ... > outgoing emails are signed properly and passing DKIM validation. > > I'm running: > Rocky Linux release 9.5 > Postfix 3.5.25 > OpenDKIM 2.11.0-0.34 > OpenDMARC 1.4.2-22 > SpamAssassin 3.4.6-5 > > main.cf has the following milter declarations: > milter_default_action = accept > milter_protocol = 6 > smtpd_milters = > inet:127.0.0.1:8891,inet:127.0.0.1:8893,unix:/run/spamass-milter/spamass-milter.sock > non_smtpd_milters = $smtpd_milters > > master.cf has: > policyd-spf unix - n n - 0 spawn > user=policyd-spf argv=/usr/libexec/postfix/policyd-sp > > I currently have opendmarc config RejectFailures set to false due to this > issue. I would like to set it back to true. > > Here is an example DKIM failure from the maillog: > May 8 14:40:44 primary postfix/smtpd[672210]: connect from > maile-af.linkedin.com[108.174.3.198] > May 8 14:40:45 primary postfix/smtpd[672210]: Anonymous TLS connection > established from maile-af.linkedin.com[108.174.3.198]: TLSv1.2 with cipher > ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) > May 8 14:40:45 primary policyd-spf[672216]: spfcheck: pyspf result: > "['Pass', 'sender SPF authorized', 'helo']" > May 8 14:40:45 primary policyd-spf[672216]: Pass; identity=helo; > client-ip=108.174.3.198; helo=maile-af.linkedin.com; > envelope-from=s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com; > receiver=<UNKNOWN> > May 8 14:40:45 primary policyd-spf[672216]: spfcheck: pyspf result: > "['Pass', 'sender SPF authorized', 'mailfrom']" > May 8 14:40:45 primary policyd-spf[672216]: Pass; identity=mailfrom; > client-ip=108.174.3.198; helo=maile-af.linkedin.com; > envelope-from=s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com; > receiver=<UNKNOWN> > May 8 14:40:45 primary policyd-spf[672216]: prepend Received-SPF: Pass > (mailfrom) identity=mailfrom; client-ip=108.174.3.198; > helo=maile-af.linkedin.com; > envelope-from=s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com; > receiver=<UNKNOWN> > May 8 14:40:45 primary postfix/smtpd[672210]: 603932014E: > client=maile-af.linkedin.com[108.174.3.198] > May 8 14:40:45 primary postfix/cleanup[672217]: 603932014E: > message-id=<1082066601.9633899.1746733244...@ltx1-app67844.prod.linkedin.com> > May 8 14:40:45 primary opendkim[671562]: 603932014E: maile-af.linkedin.com > [108.174.3.198] not internal > May 8 14:40:45 primary opendkim[671562]: 603932014E: not authenticated > May 8 14:40:45 primary opendkim[671562]: 603932014E: message has signatures > from maile.linkedin.com, linkedin.com > May 8 14:40:45 primary opendkim[671562]: 603932014E: signature=hpodGVG7 > domain=maile.linkedin.com selector=d2048-202308-0e result="signature > verification failed"; signature=c7qBDZxE domain=linkedin.com > selector=d2048-202308-00 result="signature verification failed" > May 8 14:40:45 primary opendkim[671562]: 603932014E: bad signature data > May 8 14:40:45 primary opendmarc[754]: 603932014E: linkedin.com fail > May 8 14:40:45 primary spamd[547780]: spamd: connection from ::1 [::1]:48946 > to port 783, fd 5 > May 8 14:40:45 primary spamd[547780]: spamd: setuid to sa-milt succeeded > May 8 14:40:45 primary spamd[547780]: spamd: processing message > <1082066601.9633899.1746733244...@ltx1-app67844.prod.linkedin.com> for > sa-milt:988 > May 8 14:40:46 primary spamd[547780]: spamd: clean message (-0.9/5.0) for > sa-milt:988 in 0.4 seconds, 87062 bytes. > May 8 14:40:46 primary spamd[547780]: spamd: result: . 0 - > DKIM_ADSP_ALL,DKIM_INVALID,DKIM_SIGNED,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HEADER_CTYPE_ONLY,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDIT > Y_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS,SPF_PASS > scantime=0.4,size=87062,user=sa-milt,uid=988,required_score=5.0,rhost=::1,raddr=::1,rport=48946,mid=<1082066601.9633899.1746733244...@ltx1-app67844.prod.linkedin.com>,aut > olearn=ham autolearn_force=no > May 8 14:40:46 primary postfix/qmgr[671668]: 603932014E: > from=<s-2kgdgjrbd5fxo2yedmgwvt5lispoakbzohsqk7jiokpemk84raucs...@bounce.linkedin.com>, > size=86355, nrcpt=1 (queue active) > May 8 14:40:46 primary postfix/local[672219]: 603932014E: to=<y...@xxx.com>, > orig_to=<x...@xxx.com>, relay=local, delay=0.88, delays=0.88/0/0/0, > dsn=2.0.0, status=sent (delivered to mailbox) > May 8 14:40:46 primary postfix/qmgr[671668]: 603932014E: removed > > Here are example headers from an email that failed: > > > Return-Path: > <delivery_20250508155820.39786194.374...@bouncest.seekingalpha.com> > X-Original-To: x...@xxx.com > Delivered-To: y...@xxx.com > Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.64.236.197; > helo=mta236-197.sailthru.com; > envelope-from=delivery_20250508155820.39786194.374...@bouncest.seekingalpha.com; > receiver=<UNKNOWN> DMARC-Filter: OpenDMARC Filter v1.4.2 xxx.xxx.com > C93372014E > Authentication-Results: OpenDMARC; dmarc=fail (p=quarantine dis=none) > header.from=seekingalpha.com > DKIM-Filter: OpenDKIM Filter v2.11.0 xxx.xxx.com C93372014E > Authentication-Results: xxx.xxx.com; > dkim=fail reason="signature verification failed" (1024-bit key, unprotected) > header.d=seekingalpha.com header.i=acco...@seekingalpha.com > header.a=rsa-sha256 header.s=sailthru header.b=TPGE51O3 > Received: from mta236-197.sailthru.com (mta236-197.sailthru.com > [192.64.236.197]) > (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) > key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) > (No client certificate requested) > by xxx.xxx.com (Postfix) with ESMTPS id C93372014E > for <x...@xxx.com>; Thu, 8 May 2025 14:58:21 -0500 (CDT) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=sailthru; > d=seekingalpha.com; > h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: > List-Unsubscribe-Post:List-Unsubscribe; i=acco...@seekingalpha.com; > bh=FCQykKB53iTKMbiQdQIBzJJvCkiK62WqM9lvqYBuXiM=; > b=TPGE51O33zqGWAvJNIIERbISsEQpXrB7745+sSy6Sq7ffVlQWE1iIklbwbw6DpM/jiNHN7+43iMw > Ml6ciI9zHHVwHyKYw87syYir9iTPdPkt32EHJSWJ9Qwhf728j18JZQYIF99GbdQO7f8nv4i45H9m > 3rh/kuJ2he9/dAB5UpI= > Received: from aws1-mta-relay2.sailthru.cloud (10.55.73.49) by > pmta39.sailthru.com id h3k6do3791s5 for <x...@xxx.com>; Thu, 8 May 2025 > 14:58:20 -0500 (envelope-from > <delivery_20250508155820.39786194.374...@bouncest.seekingalpha.com>) > Date: Thu, 8 May 2025 15:58:20 -0400 (EDT) > From: Must Reads <acco...@seekingalpha.com> > Reply-To: mustre...@seekingalpha.com > To: x...@xxx.com > Message-ID: <20250508155820.39786194.374...@sailthru.com> > Subject: Must Reads: Build A 12%+ Yield On Cost By 2035 With May's Top 10 > High-Yield Picks > Content-Type: multipart/alternative; > boundary="----=_Part_75818925_56239244.1746734300700" > Precedence: bulk > x-job: 9033-39786194-20250508 > X-Feedback-ID: 9033:39786194:campaign:sailthru > X-TM-ID: 20250508155820.39786194.374146 > X-Info: Message sent by sailthru.com customer Seeking Alpha > X-Info: We do not permit unsolicited commercial email > X-Info: Please report abuse by forwarding complete headers to > X-Info: ab...@sailthru.com > X-JMailer: aws-campaign-mailer-24.sailthru.cloud > List-Unsubscribe-Post: List-Unsubscribe=One-Click > X-Unsubscribe-Web: > https://email-st.seekingalpha.com/oc/60abf181ef8c55711e279b55nor82.80oy/5eec21d4 > List-Unsubscribe: > <https://email-st.seekingalpha.com/oc/60abf181ef8c55711e279b55nor82.80oy/5eec21d4>,<mailto:unsubscribe_20250508155820.39786194.374...@mx.sailthru.com> > X-rpcampaign: stnjl39786194 > X-Spam-Status: No, score=1.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, > HTML_IMAGE_RATIO_08,HTML_MESSAGE,INVESTMENT_ADVICE, > MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI, > MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,RCVD_IN_VALIDITY_RPBL_BLOCKED, > RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED > autolearn=no autolearn_force=no version=3.4.6 > X-Spam-Level: * > X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on xxx.xxx.com > > > Please let me know if I can provide any additional information that might > help uncover the problem. > > THANK YOU in advance for any light you can shine on this issue!!! > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
