Hi Matus,
I commented out policyd-spf and still am getting DKIM failure from google.com
<http://google.com/>. Here are maillog entries from a gmail test:
May 9 15:11:36 xxxxxxx postfix/smtpd[815073]: connect from
mail-qk1-f169.google.com[209.85.222.169]
May 9 15:11:36 xxxxxxx postfix/smtpd[815073]: Anonymous TLS connection
established from mail-qk1-f169.google.com[209.85.222.169]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature
ECDSA (P-384) server-digest SHA384
May 9 15:11:37 xxxxxxx postfix/smtpd[815073]: 1CD1B200DF:
client=mail-qk1-f169.google.com[209.85.222.169]
May 9 15:11:37 xxxxxxx postfix/cleanup[815088]: 1CD1B200DF:
message-id=<xxx...@mail.gmail.com>
May 9 15:11:37 xxxxxxx opendkim[671562]: 1CD1B200DF: mail-qk1-f169.google.com
[209.85.222.169] not internal
May 9 15:11:37 xxxxxxx opendkim[671562]: 1CD1B200DF: not authenticated
May 9 15:11:37 xxxxxxx opendkim[671562]: 1CD1B200DF: signature=XXXXXXX
domain=gmail.com selector=20230601 result="signature verification failed"
May 9 15:11:37 xxxxxxx opendkim[671562]: 1CD1B200DF: bad signature data
May 9 15:11:37 xxxxxxx opendmarc[754]: 1CD1B200DF: gmail.com fail
May 9 15:11:37 xxxxxxx spamd[680444]: spamd: connection from ::1 [::1]:41032
to port 783, fd 5
May 9 15:11:37 xxxxxxx spamd[680444]: spamd: setuid to sa-milt succeeded
May 9 15:11:37 xxxxxxx spamd[680444]: spamd: processing message
<xxx...@mail.gmail.com> for sa-milt:988
May 9 15:11:37 xxxxxxx spamd[680444]: spamd: clean message (1.5/5.0) for
sa-milt:988 in 0.2 seconds, 3643 bytes.
May 9 15:11:37 xxxxxxx spamd[680444]: spamd: result: . 1 -
DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_HELO_NONE,SPF_PASS
scantime=0.2,size=3643,user=sa-milt,uid=988,required_score=5.0,rhost=::1,raddr=::1,rport=41032,mid=<xxx...@mail.gmail.com>,autolearn=no
autolearn_force=no
May 9 15:11:37 xxxxxxx postfix/qmgr[815072]: 1CD1B200DF:
from=<x...@gmail.com>, size=3343, nrcpt=1 (queue active)
May 9 15:11:37 xxxxxxx postfix/local[815090]: 1CD1B200DF: to=<y...@xxx.com>,
orig_to=<x...@xxx.com>, relay=local, delay=0.61, delays=0.61/0/0/0, dsn=2.0.0,
status=sent (delivered to mailbox)
Here is the eml
Return-Path: <x...@gmail.com>
X-Original-To: x...@xxx.com
Delivered-To: y...@yyy.jkbiggs.com
Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com
[209.85.222.169])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
(No client certificate requested)
by y...@xxx.com (Postfix) with ESMTPS id 1CD1B200DF
for <x...@jkbiggs.com>; Fri, 9 May 2025 15:11:36 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.4.2 yyy.xxx.com 1CD1B200DF
Authentication-Results: OpenDMARC; dmarc=fail (p=none dis=none)
header.from=gmail.com
DKIM-Filter: OpenDKIM Filter v2.11.0 y...@xxx.com 1CD1B200DF
Authentication-Results: y...@xxx.com;
dkim=fail reason="signature verification failed" (2048-bit key, unprotected)
header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601
header.b=RKA6a/wC
Received: by mail-qk1-f169.google.com with SMTP id
af79cd13be357-7caea4bc9e9so459125485a.1
for <x...@jkbiggs.com>; Fri, 09 May 2025 13:11:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1746821496; x=1747426296; darn=xxx.com;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=9WXHEH+Ua31hBu54eP0LWpmaqkIUN2OsJGlLAjtdDlA=;
b=RKA6a/wCNsjGeWDbSNrfAaEEAk3SM+ehP5vjMGJAD7IzYYj+GOEpedkbtu4T0WnBEx
3foAEREMpDtru4NrbrBqkGOdLZtgxK41EVDIhfNXLBpb5ZYBGknSeXYbZUZsjQYBKz08
flhI5hQew5XLSds1L4Opnd7TMdi9C3AEesULC2/Jf82kFgDdmg65EvstfvmF/z1Gn9k3
qUoe1ubza8D7xaGRyFk7aOmNIlOAPVdr00ZOy9HYXCDHq9703YfINfd9rKBkpcmDbYvm
qyxRTP9XUW/N1oEjVGOs2zaeOg+EY8P/WWAFg4dw70A8nhcnNKqRtDrRZ+wtwSMP+xUa
vNKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1746821496; x=1747426296;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=9WXHEH+Ua31hBu54eP0LWpmaqkIUN2OsJGlLAjtdDlA=;
b=u76XLeeIE2eI2zLxa9B94/P/FAeDtruY5lKkJ5AJUw1msEiwwcpnYbJnmLb9JOHEVf
d1UD6X8dH87d545JBJiliU7BpMBq2BOswWp6HFGcYvnSQPqnGrbGc11HBWCMCv7s3Whh
K8S9/Zdk7Y/eEF3YWdjo6MDhHPUckqoH3MROj82XkTAJCNwYD3NmpYxC7bWsMuODXMMT
oDz8qJz8Ygc5q8xVj1pp09U8LS5Pj+u6qXyqNmTW2v1IgqIO3GiTOCSxSqdG2bw4O3cI
+vA7hLcG4nqJfnjzZYP1cX3q/NVTNejQjwzfFwmYvLMrDiTNanM5YshtSTy/w3CuNULn
rUrw==
X-Gm-Message-State: AOJu0YznAXlBVr0Oxii7wK5eXqEhz9hXkeKDirYXQsr9dj8BNcBemiL/
/Q7yMyWuMqGAiJBMYmtQArTMQvRHhS/WWH8JnlVDRaBcC6g+NHkBGDblF6iajWFHteWC0OKa5uu
eE3m+Ilif3lg5g6va13bAjBbnXY7Row==
X-Gm-Gg: ASbGncs25X78hmWrGuKWv/x8oQNVKKI+/N1xl1xSsef0V3fj04IJ08evMgKKd+0YpbF
4pijMDBhHI9/ngn3pvlZTf9bt9HemX3bv+0QUHSEtPI8bbj/CIjXTIT+cHSaTQGD0VjpTi6h1kW
bnxLl1oHl7nJILeZgirw58sptZyKTPnDgk9kxWIktiZSwwrgNkgl+mTJQNnCAh2X3KPAs=
X-Google-Smtp-Source:
AGHT+IGAamzv1VvdNNZXR2EypMCRMPHH+GFG1sv13gQi4bJLtuQ99V4zbyPEnqiqrI9nEnPQzHO8/Ci1akFkAo1tItc=
X-Received: by 2002:ad4:4eaf:0:b0:6d4:dae:6250 with SMTP id
6a1803df08f44-6f6e4831507mr78781396d6.34.1746821485574; Fri, 09 May 2025
13:11:25 -0700 (PDT)
From: Ken Biggs <x...@gmail.com>
Date: Fri, 9 May 2025 15:11:14 -0500
X-Gm-Features: AX0GCFueBRLK97xA4Q-765iH4iNekHuLztPS0LrUNqrK7x6cj5bNSqdHA1Wh8Rk
Message-ID: <cacynjg6ngpcfju6_rs590knb6idxyuoogacmnttv8uk2fsm...@mail.gmail.com>
Subject: DKIM Test
To: Ken Biggs <x...@xxx.com>
Content-Type: multipart/alternative; boundary="000000000000223f5b0634b9928d"
X-Spam-Status: No, score=1.5 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,
MIME_HEADER_CTYPE_ONLY,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=no
autolearn_force=no version=3.4.6
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on y...@xxx.com
--000000000000223f5b0634b9928d
Content-Type: text/plain; charset="UTF-8"
dkim test
--000000000000223f5b0634b9928d
Content-Type: text/html; charset="UTF-8"
<div dir="ltr">dkim test</div>
--000000000000223f5b0634b9928d--
A lot (but not all) of the failed DKIM validation emails are from mailing lists.
-Ken
> On May 9, 2025, at 9:18 AM, Matus UHLAR - fantomas via Postfix-users
> <postfix-users@postfix.org> wrote:
>
> On 09.05.25 08:14, Ken Biggs via Postfix-users wrote:
>> Looking at the maillog, I notice policyd-spf is running before opendkim.
>> Could that be modifying the email before dkim validation?
>
> it should not.
>
> I use pyspf-milter which is from the same package I believe (python, there's
> also perl version policyd-spf) and it only accepts/rejects e-mail and adds
> Authentication-Results: header.
>
> in my case, both opendkim and spamassassin's DKIM test often claim correct
> results.
>
> Question: aren't those mails failing DKIM from mailing lists?
> Because that is quite often case where DKIM does not pass.
>
>>> On May 9, 2025, at 8:04 AM, Ken Biggs via Postfix-users
>>> <postfix-users@postfix.org> wrote:
>>>
>>> I'm running spamass-milter.
>>> /etc/mail/spamassassin/v312.pre already has loadplugin
>>> Mail::SpamAssassin::Plugin::DKIM.
>>> Not seeing AuthRes anywhere in /etc/mail/spamassassin.
>>> So, I'm assuming the X-Spam-Status: tests=DKIM_INVALID,DKIM_SIGNED are
>>> SpamAssassin's agreement with OpenDKIM's Authentication-Results: dkim=fail
>>> reason="signature verification failed". I haven't seen any conflict
>>> between the dkim validation results so far.
>>>
>>> It's great to know Matus is using the same combination and not seeing
>>> frequent DKIM failures, so it's my setup somehow.
>>>
>>> I'm not using smtp proxy and I don't believe I have any content filter set
>>> up.
>>>
>>> I've tried running opendkim as the only milter (commenting out opendmarc
>>> and spamassassin). There were no changes to validation results.
>
> k
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Posli tento mail 100 svojim znamim - nech vidia aky si idiot
> Send this email to 100 your friends - let them see what an idiot you are
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
