You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Sebastian Arcus <s....@open-t.co.uk> on 2018/03/19 15:29:10 UTC

T_DKIM_INVALID false positives with Gmail

I've been seeing a number of false positives recently from 
T_DKIM_INVALID with Gmail emails. Are some Gmail servers misconfigured, 
or could something be going on at my end? The DKIM record which is 
flagged as invalid is below:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; 
s=20161025; 
h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOmUO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=; 
 
b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i 
    vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ 
 
Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T 
   +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm 
      3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
Ps6A==

Re: T_DKIM_INVALID false positives with Gmail

Posted by "Kevin A. McGrail" <km...@apache.org>.

No, because DKIM is verifying the unmodified header/body (more complicated
than that).

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Mar 19, 2018 at 11:55 AM, Sebastian Arcus <s....@open-t.co.uk>
wrote:

> On 19/03/18 15:53, Bill Cole wrote:
>
>> On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:
>>
>> I've been seeing a number of false positives recently from T_DKIM_INVALID
>>> with Gmail emails. Are some Gmail servers misconfigured, or could something
>>> be going on at my end? The DKIM record which is flagged as invalid is below:
>>>
>>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com;
>>> s=20161025; h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOm
>>> UO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=;
>>> b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i
>>>  vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
>>> Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T
>>> +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm
>>> 3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
>>> Ps6A==
>>>
>>
>> There are LOTS of ways to break a DKIM signature. Whether that one is
>> broken can't be checked and how it might have been broken can't be guessed
>> at without the full *unmodified* headers and body of the message.
>>
>
> I use Exim to pass stuff directly to SA. Could I attach the DKIM header in
> a text file and send it to the list?
>

Re: T_DKIM_INVALID false positives with Gmail

Posted by Sebastian Arcus <s....@open-t.co.uk>.

On 19/03/18 15:53, Bill Cole wrote:
> On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:
> 
>> I've been seeing a number of false positives recently from 
>> T_DKIM_INVALID with Gmail emails. Are some Gmail servers 
>> misconfigured, or could something be going on at my end? The DKIM 
>> record which is flagged as invalid is below:
>>
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
>> d=googlemail.com; s=20161025; 
>> h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOmUO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=; 
>>
>> b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i 
>>  vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
>> Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T 
>> +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm 
>>    3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
>> Ps6A==
> 
> There are LOTS of ways to break a DKIM signature. Whether that one is 
> broken can't be checked and how it might have been broken can't be 
> guessed at without the full *unmodified* headers and body of the message.

I use Exim to pass stuff directly to SA. Could I attach the DKIM header 
in a text file and send it to the list?

Re: T_DKIM_INVALID false positives with Gmail

Posted by RW <rw...@googlemail.com>.

On Mon, 19 Mar 2018 11:53:19 -0400
Bill Cole wrote:

> On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:
> 
> > I've been seeing a number of false positives recently from 
> > T_DKIM_INVALID with Gmail emails. Are some Gmail servers 
> > misconfigured,

> There are LOTS of ways to break a DKIM signature. 

Including signing non-existent List-* headers and then posting to a
mailing list.

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:
 MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To:Cc:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;...

Re: T_DKIM_INVALID false positives with Gmail

Posted by Bill Cole <sa...@billmail.scconsult.com>.

On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:

> I've been seeing a number of false positives recently from 
> T_DKIM_INVALID with Gmail emails. Are some Gmail servers 
> misconfigured, or could something be going on at my end? The DKIM 
> record which is flagged as invalid is below:
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
> d=googlemail.com; s=20161025; 
> h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOmUO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=;
> b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i   
>  vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
> Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T   
> +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm   
>    3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
> Ps6A==

There are LOTS of ways to break a DKIM signature. Whether that one is 
broken can't be checked and how it might have been broken can't be 
guessed at without the full *unmodified* headers and body of the 
message.

Re: T_DKIM_INVALID false positives with Gmail

Posted by "Kevin A. McGrail" <km...@apache.org>.

What glue are you using for SA?

DKIM is pretty fragile depending on the signature and implementation.  One
\n\r changed to \n for example which some SMTP transports will do can cause
a failure.

I pretty much consider DKIM a 100% if it works and generally worthless if
it fails technology right now BUT should get better as people realize they
can't muck with things mid transport.

Regards,
KAM

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Mar 19, 2018 at 11:29 AM, Sebastian Arcus <s....@open-t.co.uk>
wrote:

> I've been seeing a number of false positives recently from T_DKIM_INVALID
> with Gmail emails. Are some Gmail servers misconfigured, or could something
> be going on at my end? The DKIM record which is flagged as invalid is below:
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com;
> s=20161025; h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOm
> UO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=;
> b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i
> vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
> Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T
>  +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm
>   3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
> Ps6A==
>