On Thu, 8 Jun 2006, Murray S. Kucherawy wrote:
On Thu, 8 Jun 2006, Dan Mahoney, System Admin wrote:
Apologies for the horrid wrapping, but I'm not seeing the right header
There should still be an Authentication-Results header if it's failing,
As coded right now, that header is added on failed verifications only if it
got as far as deciding if the signature was both present and able to be
verified. In this case the latter condition was not met so no header was
In particular, your published key record contains the tag "g=" with no value.
According to base-02 (and in fact I think all of the DKIM drafts), that
matches no users, so the key was used by an unauthorized user and thus the
signature was to be ignored. dkim-filter therefore acted like there was no
This is DIFFERENT from what I've seen in some of the domainkeys drafts,
g = granularity of the key (the default of '' = all domain, which
means that any left-hand-side of the @ is valid with this
(Though not yet defined, one possible interpretation for
non-empty values is that they could represent a Base64 SHA1
fingerprint of the email address used to identify the sending
domain. This, though, does not handle the notion of tagged
addresses as well as one would like.)
Does this necessarily mean I should have to use a different key for dkim
and domainkeys? Does the domainkeys spec understand *?
Oh, I see where I got it. The INSTALL file in the dkim-milter tarball:
(iii) Add a TXT DNS record containing the base64 encoding of your public
key, which is everything between the BEGIN and END lines in the
rsa.public file generated above, with spaces and newlines removed.
It should be in this form:
"g=; k=rsa; t=y; p=MFwwDQYJ...AwEAAQ=="
If you change it to "g=*" (match all users, which is the default), you should
get a result.
I've done this. Just waiting for DNS to propagate.
Apologies to anyone else listening for the signal-to-noise ratio here,
btw. Moving this conversation mid-flow to a different list didn't seem
like it would make sense.
"The first annual 5th of July party...have you been invited?"
"It's a Jack Party."
"Okay, so Long Island's been invited."
--Cali and Gushi, 6/23/02
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
dkim-ops mailing list