Mailing List Archive

Failed DKIM without selector
Hi,

i use dual DKIm sign with RSA and ED25519 keys (the selectors are named
with "r" and "e" at start respectively, to distinguish them).

Recently i enabled receiving DMARC reports and i see from google (i
didn't get from others yet), that the that RSA signatures passes and
ED25519 DKIM signatures fails:

<auth_results>
<dkim>
<domain>mydomain.tld</domain>
<result>pass</result>
<selector>r2021</selector>
</dkim>
<dkim>
<domain>mydomain.tld</domain>
<result>fail</result>
<selector>e2021</selector>
</dkim>
</auth_results>

I guess, that google doesn't supports ED25519 signatures yet, but that
is not problem, i have verified with some other provider, that it works.

The problem is, that some reports are failed with empty selector:

<auth_results>
<dkim>
<domain>mydomain.tld</domain>
<result>pass</result>
<selector>r2021</selector>
</dkim>
<dkim>
<domain>mydomain.tld</domain>
<result>fail</result>
<selector></selector>
</dkim>
</auth_results>

As here is not selector, i can guess only, that it is the ED25519
(because the RSA one pass).

I have setup DKIM (debian based):

DKIM_DOMAIN = ${domain:$h_from:}
DKIM_SELECTOR = ${lookup{$dkim_domain} lsearch{DKIMDBFILE}}
DKIM_PRIVATE_KEY = ${lookup {$dkim_selector.$dkim_domain.key} \
search{CONFDIR/dkim}{CONFDIR/dkim/$value}}

In DKIMDBFILE i have mapped selectors based on domain, eg:

mydomain.tld: r2021:e2021

My question is, please, how i can log outgoing DKIM-Signature header(s)
to be sure, that i am not sending empty selector? As they are not all
messages, i do not know which one fails with empty selector (if any),
thus i want to log them all (for some time).

regards

--
Slavko
http://slavino.sk