Mein dkim setup läuft eigentlich schon recht lange. Hin und wieder bekomme ich aber abgelehnte Nachrichten. Ich habe das immer als sporadische DNS Fehler abgetan weil der Netcup DNS halt mal wieder nicht (rechtzeitig) geantwortet hat. Aber bei einigen Servern tritt das zuverlässig auf. Ich frage mich jetzt ob das vielleicht doch an mir liegen könnte und ich irgendwas vermurkst habe?
Grundsätzlich scheint das Setup in Ordnung. Google sieht keine Probleme und auch bei dkimvalidator.com und verifier.port25.com ist alles in Ordnung:
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=js86.de; s=default;
t=1652946547;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=b2+7LaHd8Jb1M3+Tx8IoQqFdJhdD3UODX1D82kvyk0E86gTd2/Y32AsRMGCIs92emahJg8
nxta8Z00sblzht1iS31a+xJNgiHk69vt4DX/gvtGlloQIh/BPZwB2bKcRbYugPmkWXaK7s
Nf+t+Du6N/55MJuJqdzbjOPb/P8bO8nb0SBT/aMc8xg0MMzMVpMnZxRDq8Tf1OGwbRAd/0
FSQBQHdTXdO5xcLCLM2Na9lHZPFwjnNbE516imVCE+gU9iBO3/DRahohtDDgwL2VwWjagm
B6WfN4O4wFWHaRLF2mb+RpIrkqYSF26BXQMbzzMtiinVU5MwVOt9EWVfCLsMzdLDV3H68Q
X9qm9y1b5QWrYEpc5dBcrLtZfcmW86z4AVAjYVQl+BgoQu0KxcenxytYjPAbEsk0htpnl2
38x8ZGCxduRfp10vskstu404nUCzseR0T0jT4bwQqZD+kXZ1dz5wfIxzVtRc40cEnihhkY
jDoXNqrWUDLNFflENSZsDGLh/SuqYQ/kJ8k6ryOy00oJZHUCjRJDyl+QiEqOC3LyfA69BZ
7U0C4aQq88fCdVnOMDo29lEEwGZSKuVlaqNWYlNwGAo6NomyA79ZAJVTtzFfUWO3KuIPEe
bu0sVgoWWpjwju8EOq5O4qXheZ10a8w2JrB+7tCQZmoh/86ohYc/0=
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: js86.de
s= Selector: default
q= Protocol:
bh= 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
h= Signed Headers: from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding
b= Data: b2+7LaHd8Jb1M3+Tx8IoQqFdJhdD3UODX1D82kvyk0E86gTd2/Y32AsRMGCIs92emahJg8
nxta8Z00sblzht1iS31a+xJNgiHk69vt4DX/gvtGlloQIh/BPZwB2bKcRbYugPmkWXaK7s
Nf+t+Du6N/55MJuJqdzbjOPb/P8bO8nb0SBT/aMc8xg0MMzMVpMnZxRDq8Tf1OGwbRAd/0
FSQBQHdTXdO5xcLCLM2Na9lHZPFwjnNbE516imVCE+gU9iBO3/DRahohtDDgwL2VwWjagm
B6WfN4O4wFWHaRLF2mb+RpIrkqYSF26BXQMbzzMtiinVU5MwVOt9EWVfCLsMzdLDV3H68Q
X9qm9y1b5QWrYEpc5dBcrLtZfcmW86z4AVAjYVQl+BgoQu0KxcenxytYjPAbEsk0htpnl2
38x8ZGCxduRfp10vskstu404nUCzseR0T0jT4bwQqZD+kXZ1dz5wfIxzVtRc40cEnihhkY
jDoXNqrWUDLNFflENSZsDGLh/SuqYQ/kJ8k6ryOy00oJZHUCjRJDyl+QiEqOC3LyfA69BZ
7U0C4aQq88fCdVnOMDo29lEEwGZSKuVlaqNWYlNwGAo6NomyA79ZAJVTtzFfUWO3KuIPEe
bu0sVgoWWpjwju8EOq5O4qXheZ10a8w2JrB+7tCQZmoh/86ohYc/0=
Public Key DNS Lookup
Building DNS Query for default._domainkey.js86.de
Retrieved this publickey from DNS: v=DKIM1; t=s; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7J4xXPHI+jxOBi/NogZKdgetgyXFVErUMII8KAEthNFpQWtotbk1h8EjVzMTGroDDfjG5OuZdj3f438f3msZyCWCpgVnAyAkg0jbnohCUmO3YorehHaC0KljQ2R5yDJZyGfqtnKO+f5DI73B4fyzIbckYP82WWB0fUzkxTI0djI2pXC1N/0qYYAv7NnDUEjvBtKmfNnuF8PCcJ+0wMlZhwtDRDsKmMyauSF2wPK6hk2tlGDF7VrBvrMez91p5j4IIglYMLRBqrE0GCZ2hrzs6TzeO378/xr+j5+XIbEcZlbYMFFYje1T00IgKj/PFay9q8q+1dzN7l/rhT9BDDEaBec+TSlhcfyatpVO9Gzymgugaz275aTDycnhpuLEDcj4cbB7VVaovjp/Xjc2ziTicqxRofgLxFk3kLIngnMnzYvm/03xDjiqpYHxRHqk/ayUkE0Tqy+w+WLZcTT4VLVRlQcuYLBe579xY+8/iSWB/WbvZ7cYmco50ocjHh50xh0Lh6SYawzYWsnQYeXvsaVhlmrpYuBasXL256tqgCThIP1tiJJMf/YDjh14RdO5kEjqo++L/cnEGD0C87R7CU2kMapihVN+zBPdj0gqlfLKOkbTbcPIqOwcBiEb8m/HEv+K+Cn86EJq6LROlzZzAQBch3Zo609Grov/aLlLMMwoFhkCAwEAAQ==
Validating Signature
result = pass
Details:
SpamAssassin Score: -5.1
Message is NOT marked as spam
Points breakdown:
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: js86.de]
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
high trust
[202.61.254.9 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
Alles anzeigen
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com. The service allows email senders to perform
a simple check of various sender authentication mechanisms. It is provided
free of charge, in the hope that it is useful to the email community. While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.
Thank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
"iprev" check: pass
DKIM check: pass
==========================================================
Details:
==========================================================
HELO hostname: mail.js86.de
Source IP: 202.61.254.9
mail-from: meineMailAdresse@js86.de
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mailfrom=meineMailAdresse@js86.de
DNS record(s):
js86.de. 300 IN TXT "v=spf1 mx include:mail.js86.de ~all"
js86.de. 300 IN TXT "google-site-verification=AdQmaC-d-LRxNsz4CrSNozTXPAX6cKISNuHj2pWU1Jw"
js86.de. 300 IN MX 10 mail.js86.de.
mail.js86.de. 300 IN A 202.61.254.9
----------------------------------------------------------
"iprev" check details:
----------------------------------------------------------
Result: pass (matches mail.js86.de)
ID(s) verified: policy.iprev=202.61.254.9
DNS record(s):
9.254.61.202.in-addr.arpa. 300 IN PTR mail.js86.de.
mail.js86.de. 300 IN A 202.61.254.9
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: meineMailAdresse@js86.de)
ID(s) verified: header.d=js86.de
Canonicalized Headers:
from:Vorname'20'Nachname'20'<meineMailAdresse@js86.de>'0D''0A'
subject:dkim'20'test'0D''0A'
date:Thu,'20'19'20'May'20'2022'20'09:47:49'20'+0200'0D''0A'
message-id:<51921812-2E4D-43A3-961B-6D8A87603B8E@js86.de>'0D''0A'
to:check-auth2@verifier.port25.com'0D''0A'
mime-version:1.0'20'(Mac'20'OS'20'X'20'Mail'20'16.0'20'\(3696.80.82.1.1\))'0D''0A'
content-type:text/plain'0D''0A'
content-transfer-encoding:7bit'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=js86.de;'20's=default;'20't=1652946470;'20'h=from:from:reply-to:subject:subject:date:date:message-id:message-id:'20'to:to:cc:mime-version:mime-version:content-type:content-type:'20'content-transfer-encoding:content-transfer-encoding;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=
Canonicalized Body:
DNS record(s):
default._domainkey.js86.de. 300 IN TXT "v=DKIM1; t=s; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7J4xXPHI+jxOBi/NogZKdgetgyXFVErUMII8KAEthNFpQWtotbk1h8EjVzMTGroDDfjG5OuZdj3f438f3msZyCWCpgVnAyAkg0jbnohCUmO3YorehHaC0KljQ2R5yDJZyGfqtnKO+f5DI73B4fyzIbckYP82WWB0fUzkxTI0djI2pXC1N/0qYYAv7NnDUEjvBtKmfNnuF8PCcJ+0wMlZhwtDRDsKmMyauSF2wPK6hk2tlGDF7VrBvrMez91p5j4IIglYMLRBqrE0GCZ2hrzs6TzeO378/xr+j5+XIbEcZlbYMFFYje1T00IgKj/PFay9q8q+1dzN7l/rhT9BDDEaBec+TSlhcfyatpVO9Gzymgugaz275aTDycnhpuLEDcj4cbB7VVaovjp/Xjc2ziTicqxRofgLxFk3kLIngnMnzYvm/03xDjiqpYHxRHqk/ayUkE0Tqy+w+WLZcTT4VLVRlQcuYLBe579xY+8/iSWB/WbvZ7cYmco50ocjHh50xh0Lh6SYawzYWsnQYeXvsaVhlmrpYuBasXL256tqgCThIP1tiJJMf/YDjh14RdO5kEjqo++L/cnEGD0C87R7CU2kMapihVN+zBPdj0gqlfLKOkbTbcPIqOwcBiEb8m/HEv+K+Cn86EJq6LROlzZzAQBch3Zo609Grov/aLlLMMwoFhkCAwEAAQ=="
Public key used for verification: default._domainkey.js86.de (4096 bits)
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
Alles anzeigen
[edit]
Jetzt wollte ich den Post gerade abschicken und bin dann drauf gestoßen: Kann es sein dass es an einem zu langen Key liegt? Ich habe wohl damals 4096 bit genommen was zwar laut RFC von 2018 erlaubt ist, davor allerdings nur bis 2048 gefordert wurde. Alte Systeme können das vielleicht nicht richtig validieren?
Etwas suchen fördert zutage, dass die Schlüssel aufgrund der Größe nicht mehr in ein UDP Packet passen und deshalb zwingend TCP eingesetzt werden muss was nicht alle machen.
Hatte noch jemand solche Probleme? Sonst werde ich das wohl mal ausprobieren mit neuen, kürzeren Schlüsseln.