DKIM Signature not valid

Support General Configuration
1

Hi,

I am using Axigen 10.3.3.1 (Free version) on linux AMI 2 and configured DKIM using the below mentioned link,

When sending email using a script it is saying DKIM ‘FAIL’ with domain i--------t, although on email header it is saying DKIM status is OK.
attaching email header for reference.

DKIM
DKIM722×324 38.9 KB

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=dkim-status:domainkey-status:content-transfer-encoding:subject:date
:to:from:mime-version:message-id:domainkey-signature:dkim-signature;
bh=HQtWSrja9garlmw4R+eezXaOKOy/KGhaHNkNmA0Wci0=;
fh=ieEXUAqMwRRtJsFrbBeo0d2jc5L5nht8CWRcq7tN7O8=;
b=Sbo8F4RNDBCwjCs2q1AB4jRj1XvReptijLaDR/QODHW1mHmJTIsumHtInh/IC+l/Gq
O/fJsFEoUrTl+tOlwkD+lbLacRzGCkV4lczPzkBAKFHoHWu4knrNPxLQBa+v3/FQb3tR
wuVGV783ZlgO+ZxiyPlKXpoQdcTxOBUvb4Wi1z+9GiToZPzsuNuXf2YehdOM0XxWvUO9
rjXVHYHfD9kcjM8l7C6VuH4F3Lnvn16lABj8EZjEadNhyDYtbN6L03THFccxUSt8iYfD
GP7WSc/H0npwWFDvQYSSk3SC37WVRYxpacCMhs5oGLty23BSTq3VyLZX5Ypr89UTcMRX
X8lQ==;
dara=google.com

   dkim=fail header.i=@i-------t header.s=mailr10 header.b=canaC9UA;
   spf=pass (google.com: domain of noreply@i-------t designates 35.XX.XX.85 as permitted sender) smtp.mailfrom=noreply@i-------t;
   dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=i-------t

DKIM-Signature: v=1; a=rsa-sha256; d=i-------t; s=mailr10; c=relaxed/relaxed; q=dns/txt; h=from:date:to:cc:message-id:subject; bh=HQtWSrja9garlmw4R+eezXaOKOy/KGhaHNkNmA0Wci0=; b=canaC9UA/XTER3uJfqLTEHo8ICvJA/vBe9YlNbxU9lBGqdcL5dV1ippHYPYEcYBcb7oWoq+rnqAOiRi/y+ePEaSTj5oZm4Ymhjm7/Y5wlXV3XhwyweSl99GWEhXOPBqyGm1+JQWR9oU6OphreK+JadAK7fzKr91CJ4yWJPwtiJvE8qYEgj13iL4ii8k8Gq+rMh8zg8UlN5RIW+xUI7HhsGthx1z8HjVbpGGjQZap8Lasn4bTfsGE9KWiD4waUXysmESquuO6LTKmbHi3daztPsZ5DkV1k3tjsx6TMroM6DfGBxsxWTiMqo0FpiKYtOsN++ft/kylvS1p0ZNFumNDyA==;
DomainKey-Signature: a=rsa-sha1; b=BodUNGJgyiBGf9FCLIiQrABjhOMHaW/ke6tidnX9e7lKoXddBw07d7OLiqwRlIT4eRskZxa3NzHSMbsr37XaO0bKo8orwVTgI9TWnp1RJF+EsVX4a65KpyJWGr5UtwzIPWTDX4puqz3kWiECynMJ7OZOyj2XV6Xu4GD57b5DzqsOkcLJv/vAIm/CkPz9NmDR8kSveOFWaomKlWIRDZRs7BCYB5yHfN0jsaCn7uJ5RVuHWMLFX3f8Txyok97fHyub8+HZmBLzrdcpS2dh0rEnSpAJS29jsUAVoyLj3z5BZy29A/DXXpYSw91X6aSh5rlJVVYpBqoKd6JsRwqFGK29UA==; c=nofws; q=dns; d=i-------t; s=mailr10; h=message-id:from:to:date:subject:cc;
Received: from DESKTOP-PGJNPFV (52.65.182.160) by ip-10-0-100-57.ec2.internal (Axigen) with ESMTP id 0D15D7; Mon, 29 Jul 2024 07:38:53 +0000
Message-ID: 1722238734202356991@ip-10-0-100-57.ec2.internal
MIME-Version: 1.0
From: noreply@i-------t
To: khurra------@gmail.com
Date: 29 Jul 2024 12:38:54 +0500
Subject: Email testing from Po----nt.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-AXIGEN-DK-Result: Ok
DomainKey-Status: good
X-AXIGEN-DKIM-Result: Ok
DKIM-Status: good

Email testing from Po----nt.

From DKIM Validator

DKIM Information:
DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; d=i-------t; s=mailr10; c=relaxed/relaxed;
q=dns/txt; h=from:date:to:cc:message-id:subject;
bh=HQtWSrja9garlmw4R+eezXaOKOy/KGhaHNkNmA0Wci0=;
b=lW7A/26Jx6ZyICzKds1yHCvFSszPUa9dNbUYgYkog1W0Jyji+r28GcMk8qYuLgbfmjwkNffBzmoyu1s/4QMZHt7ZI4s2+sODFbGzdkWxSRcxENItjELgqEgpYrOO5Ri+WDTHcPiv4CPHCFbbBdlSqBshBsCFqY+3UMy7RDGd7OsvzB5urn9tZZQwMLZlQojkhqKfrbG3W64PHUGz8OxbYtzrVmXfxSncq3KDgyeQDlmJq3CM4Dhk6xYHU9O9O6uRbjD1PryTR+89NHd5cv3orUF3ozbXign0XbiSXcFn6culvfm0QwUD9Vp+9qx7zEyGz2gghFgFw55m4POZ2i+MVw==;
DKIM-Status: good

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: i-------t
s= Selector: mailr10
q= Protocol: dns/txt
bh= HQtWSrja9garlmw4R+eezXaOKOy/KGhaHNkNmA0Wci0=
h= Signed Headers: from:date:to:cc:message-id:subject
b= Data: lW7A/26Jx6ZyICzKds1yHCvFSszPUa9dNbUYgYkog1W0Jyji+r28GcMk8qYuLgbfmjwkNffBzmoyu1s/4QMZHt7ZI4s2+sODFbGzdkWxSRcxENItjELgqEgpYrOO5Ri+WDTHcPiv4CPHCFbbBdlSqBshBsCFqY+3UMy7RDGd7OsvzB5urn9tZZQwMLZlQojkhqKfrbG3W64PHUGz8OxbYtzrVmXfxSncq3KDgyeQDlmJq3CM4Dhk6xYHU9O9O6uRbjD1PryTR+89NHd5cv3orUF3ozbXign0XbiSXcFn6culvfm0QwUD9Vp+9qx7zEyGz2gghFgFw55m4POZ2i+MVw==
Public Key DNS Lookup

Building DNS Query for mailr10._domainkey.i-------t
Retrieved this publickey from DNS: k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxKH2h/Kce9I35YL8avEmz3aCJOojU2Ws3h6g8HrTR95ufird9Yd5pW6ur/JP/dYqXkKUxRqiLuDPCjkSeYwWjoM7cW7I5zXrJSeXHQratvEGcuKvfSSbYEbbAulPgVdwKL7HMNcWaoHc8PYD2QEuytLwbaNPRyBR8Vuyrennzrqz8qcAOqMvUdkVNgHU0CMKrKYJKGXtxFc5T4rdEtfrkdovYPU2yvSDtF5eh8acY5xaEoMQs/vXMsqq9tlllpc2QB1k7/y7WoM3VQrix50oJtoxYl2xb15G1jLecDd+1vMHsvF4/DEqehSdN8PskixbYxcQmABTaWO11RnQJfCTSwIDAQAB
Validating Signature

result = fail
Details: bad RSA signature

From MailGenius

DKIM_INVALID,DKIM_SIGNED,RCVD_IN_DNSWL_MED,

From MXToolbox the record seems valid

DKIM
DKIM1370×609 142 KB

From MailTester

Your DKIM signature is not valid.

Please suggest what should be done or review to resolve this issue.

2

@indreias need your guidance to resolve this issue

3

Hello,

Without access to the logs and having the indication that local check show good / Ok results I could only think about the following reasons:

1/ Axigen is signing the message and later on, based on some rules, a change is made to any of the items taken into consideration when the signature is computed (see them listed in [1])

2/ There is one or more intermediate relays that are in between Axigen and the final destination that may make any changes into the mentioned items. This should be easy to spot if you are not sending based on MX but via an SMTP gateway - you should see all intermediate devices mentioned into the Received headers.

HTH,
Ioan

[1] Items used when computing the DKIM signature:

headers > from:date:to:cc:message-id:subject
message body

4

@indreias
Here is the log attached,

SMTP-IN:00002BEA: [10.0.100.57:25] connection accepted from [52.XX.XX.160:52607]
SMTP-IN:00002BEA: >> 220 ip-10-0-100-57.ec2.internal Axigen ESMTP ready
SMTP-IN:00002BEA: << EHLO DESKTOP-PGJNPFV
SMTP-IN:00002BEA: Set remote delivery to none
SMTP-IN:00002BEA: Greylist disabled
SMTP-IN:00002BEA: Set max data size to 25600 KB
SMTP-IN:00002BEA: Set max received headers to 30
SMTP-IN:00002BEA: Maximum recipient count set to 1000
SMTP-IN:00002BEA: Wait for processing response at least 10 seconds
SMTP-IN:00002BEA: STARTTLS extension allowed
SMTP-IN:00002BEA: 8BIT MIME accepted
SMTP-IN:00002BEA: BINARY DATA extension allowed
SMTP-IN:00002BEA: PIPELINING extension allowed
SMTP-IN:00002BEA: DSN extension denied
SMTP-IN:00002BEA: Set local delivery to all
SMTP-IN:00002BEA: Set remote delivery to all
SMTP-IN:00002BEA: >> 250-ip-10-0-100-57.ec2.internal Axigen ESMTP hello
SMTP-IN:00002BEA: >> 250-PIPELINING
SMTP-IN:00002BEA: >> 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
SMTP-IN:00002BEA: >> 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
SMTP-IN:00002BEA: >> 250-8BITMIME
SMTP-IN:00002BEA: >> 250-BINARYMIME
SMTP-IN:00002BEA: >> 250-CHUNKING
SMTP-IN:00002BEA: >> 250-SIZE 26214400
SMTP-IN:00002BEA: >> 250-STARTTLS
SMTP-IN:00002BEA: >> 250-HELP
SMTP-IN:00002BEA: >> 250 OK
SMTP-IN:00002BEA: << MAIL FROM:noreply@in-------at
SMTP-IN:00002BEA: Created new queue item with id 000878F8
SMTP-IN:00002BEA: >> 250 Sender accepted
SMTP-IN:00002BEA: << RCPT TO:khur---------9@gmail.com
SMTP-IN:00002BEA: >> 250 Recipient accepted
SMTP-IN:00002BEA: << DATA
SMTP-IN:00002BEA: >> 354 Ready to receive data; remember .
SMTP-IN:00002BEA: << 280 bytes and final dot read
SMTP-IN:00002BEA: DomainKeys verification result: no signature
SMTP-IN:00002BEA: DKIM verification result: no signature
SMTP-IN:00002BEA: New mail 1722489252203862224@ip-10-0-100-57.ec2.internal received from DESKTOP-PGJNPFV (52.XX.XX.160) with envelope from noreply@in-------at, recipients=1 (khur---------9@gmail.com), size=277, enqueued with id 0878F8
SMTP-IN:00002BEA: >> 250 Mail queued for delivery

SMTP-OUT:00001608: Relay mail 0878F8: connecting to 142.251.179.27:25
SMTP-OUT:00001608: Relay mail 0878F8: connected to 142.251.179.27:25
SMTP-OUT:00001608: Start sending mail 0878F8
SMTP-OUT:00001608: Release mail 0878F8
SMTP-OUT:00001608: Release mail 0878F8
SMTP-OUT:00001608: Data sent for mail 0878F8; server response: 2.0.0 OK d75a77b69052e-44fe853539dsi168672941cf.709 - gsmtp
SMTP-OUT:00001608: Set recipient khur---------9@gmail.com state to SENT
SMTP-OUT:00001608: Delivery attempt completed for mail 0878F8; schedule for cleanup
SMTP-OUT:00001608: Set mail state to SENT
SMTP-OUT:00001608: Disconnected from 142.251.179.27

PROCESSING:000878F8: Shepherd thread received signal for processing
PROCESSING:000878F8: Set recipient khur---------9@gmail.com state to RECEIVED
PROCESSING:000878F8: Set mail state to PROCESSING
PROCESSING:000878F8: Start processing mail
PROCESSING:000878F8: Set recipient khur---------9@gmail.com state to PROCESSING
PROCESSING:000878F8: Start filter AV:Tnef of type socket filter from server
PROCESSING:000878F8: Processing started
PROCESSING:000878F8: Shepherd thread finished processing signal
PROCESSING:000878F8: Filter AXI-TNEF(127.0.0.1:8888):[PASS]: pass - no changes
PROCESSING:000878F8: Finished filtering mail object 0878F8 with filter: AV:Tnef of type socket filter from server
PROCESSING:000878F8: Set recipient khur---------9@gmail.com data version to 1
PROCESSING:000878F8: Set recipient khur---------9@gmail.com state to PROCESSING
PROCESSING:000878F8: Start filter onProcessing event
PROCESSING:000878F8: The unauthenticated message has been signed using DomainKeys
PROCESSING:000878F8: The unauthenticated message has been signed using DKIM
PROCESSING:000878F8: Finished filtering mail object 0878F8 with filter: onProcessing event
PROCESSING:000878F8: Set recipient khur---------9@gmail.com data version to 2
PROCESSING:000878F8: Set recipient khur---------9@gmail.com state to PROCESSING
PROCESSING:000878F8: Set recipient khur---------9@gmail.com state to PROCESSED - RELAY
PROCESSING:000878F8: Set mail state to PROCESSED
PROCESSING:000878F8: Processing finished
PROCESSING:000878F8: Shepherd thread received signal for delivery
PROCESSING:000878F8: Shepherd thread finished delivery signal
PROCESSING:000878F8: Start mail delivery
PROCESSING:000878F8: Set mail state to SENDING
PROCESSING:000878F8: Start remote delivery for 1 recipients in domain gmail.com
PROCESSING:000878F8: Use plain connection
PROCESSING:000878F8: STARTTLS extension allowed
PROCESSING:000878F8: Allowed ssl versions set to: tls11 tls12 tls13
PROCESSING:000878F8: SSL certificate file set to: axigen_cert.pem
PROCESSING:000878F8: Set EHLO host to <mailr10.po------nt.com>
PROCESSING:000878F8: Relay mail using default host: gmail.com:25
DNR:000878F8: Search MX for ‘gmail.com
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt2.gmail-smtp-in.l.google.com’ found MX ‘64.233.184.26’ with priority 20
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt2.gmail-smtp-in.l.google.com’ found MX ‘2a00:1450:400c:c0b::1a’ with priority 20
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt3.gmail-smtp-in.l.google.com’ found MX ‘142.250.27.26’ with priority 30
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt3.gmail-smtp-in.l.google.com’ found MX ‘2a00:1450:4025:401::1a’ with priority 30
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘gmail-smtp-in.l.google.com’ found MX ‘142.251.179.27’ with priority 5
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘gmail-smtp-in.l.google.com’ found MX ‘2607:f8b0:4004:c09::1b’ with priority 5
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt1.gmail-smtp-in.l.google.com’ found MX ‘209.85.202.27’ with priority 10
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt1.gmail-smtp-in.l.google.com’ found MX ‘2a00:1450:400b:c00::1b’ with priority 10
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt4.gmail-smtp-in.l.google.com’ found MX ‘142.250.153.26’ with priority 40
DNR:000878F8: Sending query (1/1) to 8.8.8.8:53
DNR:000878F8: ‘alt4.gmail-smtp-in.l.google.com’ found MX ‘2a00:1450:4013:c16::1a’ with priority 40
PROCESSING:000878F8: Relay mail: skipping IPV6 MX entry because IPv6 is disabled in smtp outgoing service configuration
PROCESSING:000878F8: Relay mail: found IPv4 MX entry 142.251.179.27 for domain gmail.com with priority 5
PROCESSING:000878F8: Relay mail: skipping IPV6 MX entry because IPv6 is disabled in smtp outgoing service configuration
PROCESSING:000878F8: Relay mail: found IPv4 MX entry 209.85.202.27 for domain gmail.com with priority 10
PROCESSING:000878F8: Relay mail: skipping IPV6 MX entry because IPv6 is disabled in smtp outgoing service configuration
PROCESSING:000878F8: Relay mail: found IPv4 MX entry 64.233.184.26 for domain gmail.com with priority 20
PROCESSING:000878F8: Relay mail: skipping IPV6 MX entry because IPv6 is disabled in smtp outgoing service configuration
PROCESSING:000878F8: Relay mail: found IPv4 MX entry 142.250.27.26 for domain gmail.com with priority 30
PROCESSING:000878F8: Relay mail: skipping IPV6 MX entry because IPv6 is disabled in smtp outgoing service configuration
PROCESSING:000878F8: Relay mail: found IPv4 MX entry 142.250.153.26 for domain gmail.com with priority 40
PROCESSING:000878F8: Use 142.251.179.27 to relay mail 0878F8 for domain gmail.com
PROCESSING:000878F8: Shepherd thread received signal for cleanup
PROCESSING:000878F8: Start mail cleanup
PROCESSING:000878F8: Mail removed from queue
PROCESSING:000878F8: Set mail state to REMOVED
PROCESSING:000878F8: Shepherd thread finished cleanup signal

5

Hello,

So you are using a free Axigen service to relay messages to internet.

This is not bad but:
1/ you are using a quite old version (10.3.3.1) and the release notes of the latest version (10.3.3.63) shows some fixes for DKIM signing process, especially when a domain appender is used - check for AXI-3379)

2/ it is not a good idea to sign messages received via a non authenticated session

At this point my suggestion is to upgrade to 10.3.3.63 and let us know if the problem is still present.

HTH,
Ioan