anil.aliyan wrote:
> Hii,
>
> I have dns entries as given below:
>
> _domainkey.gnvfc.net.         IN      TXT     "t=y; o=-"
> dkim1   IN      TXT     "k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0KkrMRWFDOYr41TzzIDAzXVumAXtAXw4XthJPLZ\
22YwZhh2jtu1V7jnvrywT2aMhh03UdxrGlipI2waX2m1JyTxp5sy07Bgm4AvYZXtm90Jq74b6V7jZqF0\
4ur9IoaN9HEUdaFeY5HeYgab53phMOvwX5UH8Z6qgj3rC7hWtQPwIDAQAB"
>
The above line defines a record at dkim1.gnvfc.net. You want it to be at
dkim1._domainkey.gnvfc.net. So change the "dkim1" above to
"dkim1._domainkey".

(Edit- it looks like you already did.)

> private._domainkey      IN      TXT     "k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6k/a2RHmIq7mOYG0PAWaR+OWtVT9Ll9Hp73YNmb\
Hwpt6qN6NGFv3tiYqn1usHWKZoFJ2xpQtk6EP8d9cmPMBm6soWEFJMw1zOXMLtTSUyalDdpnACCR4Opi\
fcNI5CY
>
I hope that's not your private key. You don't want to publish that.
Better generate a new key pair.
Jason

Hii,

I have dns entries as given below:

_domainkey.gnvfc.net.         IN      TXT     "t=y; o=-"
dkim1   IN      TXT     "k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0KkrMRWFDOYr41TzzIDAzXVumAXtAXw4XthJPLZ\
22YwZhh2jtu1V7jnvrywT2aMhh03UdxrGlipI2waX2m1JyTxp5sy07Bgm4AvYZXtm90Jq74b6V7jZqF0\
4ur9IoaN9HEUdaFeY5HeYgab53phMOvwX5UH8Z6qgj3rC7hWtQPwIDAQAB"
private._domainkey      IN      TXT     "k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6k/a2RHmIq7mOYG0PAWaR+OWtVT9Ll9Hp73YNmb\
Hwpt6qN6NGFv3tiYqn1usHWKZoFJ2xpQtk6EP8d9cmPMBm6soWEFJMw1zOXMLtTSUyalDdpnACCR4Opi\
fcNI5CY

you mean to say that i should have another entry as along with the above
entries?

dkim1._domainkey.gnvfc.net         IN      TXT     "t=y; o=-"

Regards,

Anil Aliyan

--- In dkim-testers@yahoogroups.com, Jason Long <jason@...> wrote:
>
> anil.aliyan wrote:
> > DKIM-Signature:   v=1; a=rsa-sha1; c=simple; d=gnvfc.net; h=message-id
:from:to:subject:date:mime-version:content-type; q=dns; s=dkim1;
bh=8tc36s3h86gTbMyGpeUQsJ/ASnU=; b=y/B62EhX/FUZzkT4Neay7fh0cwUB
P4jfhZC3VwY78wWn6M86aSE+80eJjoRgig/EaWZPyGZRlT5mWzdQNKjczupkcIcq
hwGMChLQUMwZkP8U/Drgse+6xTod8jzyd4R7HCf6kaDQCdxneBcjzxcS7iKLhbu7
Mfqyq2yfR5Vuv8c=
> >
>
>
> That's your DKIM signature. It has
>
> s=dkim1
> d=gnvfc.net
>
> Therefore, there should be a DNS (TXT) record at
> dkim1._domainkey.gnvfc.net
>
> There is not.
> That is why the verifier says "no key".
>
>
> So you need to either put a record at that location in DNS, or generate
> a signature with different values for s= and/or d=.
>
>
> Hope that helps.
> Jason
>

anil.aliyan wrote:
> DKIM-Signature:   v=1; a=rsa-sha1; c=simple; d=gnvfc.net; h=message-id
:from:to:subject:date:mime-version:content-type; q=dns; s=dkim1;
bh=8tc36s3h86gTbMyGpeUQsJ/ASnU=; b=y/B62EhX/FUZzkT4Neay7fh0cwUB
P4jfhZC3VwY78wWn6M86aSE+80eJjoRgig/EaWZPyGZRlT5mWzdQNKjczupkcIcq
hwGMChLQUMwZkP8U/Drgse+6xTod8jzyd4R7HCf6kaDQCdxneBcjzxcS7iKLhbu7
Mfqyq2yfR5Vuv8c=
>


That's your DKIM signature. It has

s=dkim1
d=gnvfc.net

Therefore, there should be a DNS (TXT) record at
dkim1._domainkey.gnvfc.net

There is not.
That is why the verifier says "no key".


So you need to either put a record at that location in DNS, or generate
a signature with different values for s= and/or d=.


Hope that helps.
Jason

Yes i have defined the selector in qmail.

Acutally I am using qmailtoaster provided by qmailtoaster.org and i am using
DKIM package provided by them. I can send you the configuration file if u would
like to see. The DKIM setup is using perl-Mail-DKIM and the qmailtoaster package
contains two files namely qmail-remote wrapper which acutually signs the mail
and contain all the dkim related configs and then forward the mail to the
original qmail-remote-orig to deliver the mail to remote system. The other file
is an XML file which contains the DKIM parameters. The qmail-remote wrapper
config section where selector is defined is pasted below:

<dkimsign>
   <!-- per default sign all mails using dkim -->
   <global algorithm="rsa-sha256" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
     <types id="dkim" />
   </global>

   <!-- use dkim for example.com -->
   <gnvfc.net selector="dkim1">
     <types id="dkim" />
     </gnvfc.net>

</dkimsign>
=cut

my $configfile = undef;
$configfile    = '/var/qmail/control/dkim/signconf.xml';
my $debugfile  = undef;
#$debugfile    = '/tmp/dkim.debug';
my $qremote    = '/var/qmail/bin/qmail-remote.orig';
my $binary     = 0;
our $config;
$config->{'global'} = {
   types     => { dkim => {} },
   keyfile   => '/var/qmail/control/dkim/global.key',
   algorithm => 'rsa-sha256',
   method    => 'simple',
   selector  => 'dkim1',
   # either string or file (first line of file will be used)
   domain    => '/var/qmail/control/me'
};

Second Config file signconf.xml needs to be placed in the
/var/qmail/control/dkim directory where private key is placed for signing.
Contents as below;

<dkimsign>
   <!-- per default sign all mails using dkim -->
   <global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
     <types id="dkim" />
   </global>

   <gnvfc.net selector="dkim1">
     <types id="dkim" />
     </gnvfc.net>

</dkimsign>


Also if u can find out from the mail headers pasted below:


Authentication-Results:   mta160.mail.in.yahoo.com from=nprocure.com;
domainkeys=pass (ok); from=gnvfc.net; dkim=permerror (no key)
Received:   from 203.77.193.20 (EHLO gnvfc.net) (203.77.193.20) by
mta160.mail.in.yahoo.com with SMTP; Wed, 04 Nov 2009 16:13:28 +0530
DKIM-Signature:   v=1; a=rsa-sha1; c=simple; d=gnvfc.net; h=message-id
:from:to:subject:date:mime-version:content-type; q=dns; s=dkim1;
bh=8tc36s3h86gTbMyGpeUQsJ/ASnU=; b=y/B62EhX/FUZzkT4Neay7fh0cwUB
P4jfhZC3VwY78wWn6M86aSE+80eJjoRgig/EaWZPyGZRlT5mWzdQNKjczupkcIcq
hwGMChLQUMwZkP8U/Drgse+6xTod8jzyd4R7HCf6kaDQCdxneBcjzxcS7iKLhbu7
Mfqyq2yfR5Vuv8c=
Received:   (qmail 13438 invoked by uid 89); 4 Nov 2009 10:34:41 -0000
Comment:   DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature:   a=rsa-sha1; q=dns; c=nofws; s=private; d=nprocure.com;
b=Wn1nnhVEolFVdJ1pZlySFVzw/LM49BP74qm2fugTS8eTInbHrVukj/6vagry1/Ep;
Received:   by simscan 1.4.0 ppid: 13431, pid: 13434, t: 0.0646s scanners:
attach: 1.4.0 clamav: 0.95.2/m:51/d:9986
Received:   from unknown (HELO ANIL) (postmaster@...@203.77.193.110) by
mail.gnvfc.net with ESMTPA; 4 Nov 2009 10:34:41 -0000
Message-ID:   <6432F6257969416F961F6998943898D9@...>
From:   This sender is DomainKeys verified "NPROCURE" <postmaster@...> 
Add sender to Contacts
To:   "Anil" <anil.aliyan@...>

Regards,

Anil Aliyan


--- In dkim-testers@yahoogroups.com, "Fatih Piristine" <fatih.piristine@...>
wrote:
>
> Did you define selector in qmail for the domain?
>
>
>
> Fatih
>
>
>
> From: dkim-testers@yahoogroups.com [mailto:dkim-testers@yahoogroups.com] On
> Behalf Of anil.aliyan
> Sent: Wednesday, November 04, 2009 8:32 AM
> To: dkim-testers@yahoogroups.com
> Subject: [dkim-testers] DKIM problem
>
>
>
>
>
> Hii I am new here and i am looking for a solution for may DKIM related
> problem. I have qmail server runing and i have configured DKIM to sign all
> outgoing mails. Also have entered public key in the dns records and when i
> very the selector from
>
> http://domainkeys.sourceforge.net/policycheck.html and
> http://domainkeys.sourceforge.net/selectorcheck.html
>
> it passes the test. But the problem is that when I and mail on yahoo or
> google and check mails on yahoo or google mailbox it always says
>
> Authentication-Results: mta175.mail.in.yahoo.com from=gnvfc.net;
> domainkeys=pass (ok); from=gnvfc.net; dkim=permerror (no key)
>
> While at the same time domainkeys are working perfectly and getting verified
> but DKIM does'nt.
>
> Please somebody help in resolving this issue.
>
> Thanks & Regards
>
> Anil Aliyan
>

Hii I am new here and i am looking for a solution for may DKIM related problem.
I have qmail server runing and i have configured DKIM to sign all outgoing
mails. Also have entered public key in the dns records and when i very the
selector from

http://domainkeys.sourceforge.net/policycheck.html and
http://domainkeys.sourceforge.net/selectorcheck.html

it passes the test. But the problem is that when I and mail on yahoo or google
and check mails on yahoo or google mailbox it always says

Authentication-Results:   mta175.mail.in.yahoo.com from=gnvfc.net;
domainkeys=pass (ok); from=gnvfc.net; dkim=permerror (no key)

While at the same time domainkeys are working perfectly and getting verified but
DKIM does'nt.

Please somebody help in resolving this issue.

Thanks & Regards

Anil Aliyan

Jesse Thompson wrote:
> Jim Fenton wrote:
>>> So, I did some testing with the auto-responders listed in the
>>> "Interoperability Testing" section of
>>> http://dkimproxy.sourceforge.net/ <http://dkimproxy.sourceforge.net/>
>>>
>>> It appears that Yahoo's signatures fail for some of the
>>> autoresponders, and succeed for others. Also, it appears the
>>> subsequent tests to the same auto-responder yields inverse results.
>>
>> What do you mean by "inverse results"? It sounds like the test isn't
>> repeatable to the same autoresponder, and in fact the initial successes
>> are now failures, and vice versa?
>
> I sent 6 messages from my Yahoo account to
> test@....  3 came back pass and 3 came back fail.
>
> dkim-test@...: fail
> dktest@...: pass
> dktest@...: pass
> sa-test@...: doesn't appear to be replying

It's also worth noting that the Authentication-Results header added by
Gmail, for a message sent from my Yahoo account to my Gmail account,
said this:

    dkim=neutral (body hash did not verify)

Jesse

--
    Jesse Thompson
    Division of Information Technology, University of Wisconsin-Madison
    Email/IM: jesse.thompson@...

Jim Fenton wrote:
>> So, I did some testing with the auto-responders listed in the
>> "Interoperability Testing" section of http://dkimproxy.sourceforge.net/
<http://dkimproxy.sourceforge.net/>
>>
>> It appears that Yahoo's signatures fail for some of the
>> autoresponders, and succeed for others. Also, it appears the
>> subsequent tests to the same auto-responder yields inverse results.
>
> What do you mean by "inverse results"? It sounds like the test isn't
> repeatable to the same autoresponder, and in fact the initial successes
> are now failures, and vice versa?

I sent 6 messages from my Yahoo account to
test@....  3 came back pass and 3 came back fail.

dkim-test@...: fail
dktest@...: pass
dktest@...: pass
sa-test@...: doesn't appear to be replying

Jesse

--
    Jesse Thompson
    Division of Information Technology, University of Wisconsin-Madison
    Email/IM: jesse.thompson@...

Jesse Thompson wrote:
> I notice that all signatures from Yahoo and Facebook are failing, and
> mostly succeeding for other domains, including Gmail and Paypal.  Not
> that I care that much about validating email from Yahoo, but I wanted
> to know if the problem was on my end, or their end.  Surely Yahoo is
> correctly signing their mail!?

We're seeing valid signatures from Yahoo! and Facebook (actually
facebookmail.com).
>
> So, I did some testing with the auto-responders listed in the
> "Interoperability Testing" section of http://dkimproxy.sourceforge.net/
>
> It appears that Yahoo's signatures fail for some of the
> autoresponders, and succeed for others.  Also, it appears the
> subsequent tests to the same auto-responder yields inverse results.

What do you mean by "inverse results"?  It sounds like the test isn't
repeatable to the same autoresponder, and in fact the initial successes
are now failures, and vice versa?

-Jim

I notice that all signatures from Yahoo and Facebook are failing, and
mostly succeeding for other domains, including Gmail and Paypal.  Not
that I care that much about validating email from Yahoo, but I wanted to
know if the problem was on my end, or their end.  Surely Yahoo is
correctly signing their mail!?

So, I did some testing with the auto-responders listed in the
"Interoperability Testing" section of http://dkimproxy.sourceforge.net/

It appears that Yahoo's signatures fail for some of the autoresponders,
and succeed for others.  Also, it appears the subsequent tests to the
same auto-responder yields inverse results.

Jesse

--
    Jesse Thompson
    Division of Information Technology, University of Wisconsin-Madison
    Email/IM: jesse.thompson@...

Jim Fenton wrote:
> Yes, I updated http://testing.dkim.org/reflector.html at the time I turned
> off the reflector.


Jim,

Yeah, I missed that.  Sorry.

I think my confusion came from the top of:

     <http://testing.dkim.org/>

having:

> Alert: The reflector "dkim-test@..." is currently at rfc 4871.
> The authres implementation and SSP/ASP implementations are pretty far behind.
> We will be updating this soon. The message corpus still needs to be updated
> -- Thank you


which seemed like it must still be running.

d/
--

    Dave Crocker
    Brandenburg InternetWorking
    bbiw.net

bummer.

will you be updating <http://testing.dkim.org/> to indicate that the reflector
is now disabled?

d/

Jim Fenton wrote:
>
>
> I have had to shut down the mail reflector dkim-test@testing.dkim.org
> <mailto:dkim-test%40testing.dkim.org>
> due to abuse. I got a report earlier today that it was reporting that
> it was out of disk space, and sure enough, someone seems to have gotten
> it to chase its tail by spoofing a message to itself from itself. We
> have had some other interesting attempts as well, such as a request the
> other day to subscribe the reflector address to this mailing list (which
> would have been interesting).
>
> We seem to have some implementation problems parsing some email
> addresses as well.
>
> There are several other good reflectors around; I'd be interested in
> knowing whether they meet the needs of the community or whether I should
> resurrect this one.
>
> -Jim
>
>

--

Dave Crocker
Brandenburg InternetWorking
bbiw.net

bummer.

will you be updating <http://testing.dkim.org/> to indicate that the reflector
is now disabled?

d/


Jim Fenton wrote:
>
>
> I have had to shut down the mail reflector dkim-test@...
> <mailto:dkim-test%40testing.dkim.org>
> due to abuse. I got a report earlier today that it was reporting that
> it was out of disk space, and sure enough, someone seems to have gotten
> it to chase its tail by spoofing a message to itself from itself. We
> have had some other interesting attempts as well, such as a request the
> other day to subscribe the reflector address to this mailing list (which
> would have been interesting).
>
> We seem to have some implementation problems parsing some email
> addresses as well.
>
> There are several other good reflectors around; I'd be interested in
> knowing whether they meet the needs of the community or whether I should
> resurrect this one.
>
> -Jim
>
>

--

    Dave Crocker
    Brandenburg InternetWorking
    bbiw.net

Hello, I'm also sorry because I used this service.
If I can help you to bring it back, or some ideas for passing abuse
I'll be glad.

Here is a good service to test (DomainKeys, DKIM and SPF) all in one
test.
http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test

Best regards,
Adrian Crismaru

--- In dkim-testers@yahoogroups.com, Jim Fenton <fenton@...> wrote:
>
> I have had to shut down the mail reflector dkim-test@...
> due to abuse.  I got a report earlier today that it was reporting that
> it was out of disk space, and sure enough, someone seems to have gotten
> it to chase its tail by spoofing a message to itself from itself.  We
> have had some other interesting attempts as well, such as a request the
> other day to subscribe the reflector address to this mailing list (which
> would have been interesting).
>
> We seem to have some implementation problems parsing some email
> addresses as well.
>
> There are several other good reflectors around; I'd be interested in
> knowing whether they meet the needs of the community or whether I should
> resurrect this one.
>
> -Jim
>

Hey Jim,

Sorry to hear about your reflector shutting down!  It was a great
service and its sad that a few bad apples have to spoil it for everyone.

Thanks for running it while you did though!  Definitely helped me with
my own dkim implementation, and many others I'm sure.

Cheers.

- James.

I have had to shut down the mail reflector dkim-test@...
due to abuse.  I got a report earlier today that it was reporting that
it was out of disk space, and sure enough, someone seems to have gotten
it to chase its tail by spoofing a message to itself from itself.  We
have had some other interesting attempts as well, such as a request the
other day to subscribe the reflector address to this mailing list (which
would have been interesting).

We seem to have some implementation problems parsing some email
addresses as well.

There are several other good reflectors around; I'd be interested in
knowing whether they meet the needs of the community or whether I should
resurrect this one.

-Jim

Barry,

The dkim-filter package does this, you can type:

dkim-filter -t /path/to/mail.txt

On debian the package name is dkim-filter.

On Thu, Jul 17, 2008 at 7:24 AM, Barry Demchak <vendors@...> wrote:
> Hi, all --
>
> I am starting to work with DKIM headers, and I would like decode some
> existing DKIM headers (e.g., from gmail).
>
> Can anyone point me to a standalone (or integrated) utility that
> accepts a DKIM header and decodes it? I have already experimented
> with the checker at auth-results@.... I'm looking for
> a command line utility or web page that does the same thing.
>
> Do you know of such a utility??
>
> Thanks!
>
> vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> : Barry Demchak :
> : UC San Diego :
> : Computer Science Department :
> : https://sosa.ucsd.edu/people/bdemchak/ :
> : (858) 452-8700 :
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>

Barry,

The dkim-filter package does this, you can type:

dkim-filter -t /path/to/mail.txt

On debian the package name is dkim-filter.


On Thu, Jul 17, 2008 at 7:24 AM, Barry Demchak <vendors@...> wrote:
> Hi, all --
>
> I am starting to work with DKIM headers, and I would like decode some
> existing DKIM headers (e.g., from gmail).
>
> Can anyone point me to a standalone (or integrated) utility that
> accepts a DKIM header and decodes it? I have already experimented
> with the checker at auth-results@.... I'm looking for
> a command line utility or web page that does the same thing.
>
> Do you know of such a utility??
>
> Thanks!
>
> vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> : Barry Demchak :
> : UC San Diego :
> : Computer Science Department :
> : https://sosa.ucsd.edu/people/bdemchak/ :
> : (858) 452-8700 :
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>

Hi, all --

I am starting to work with DKIM headers, and I would like decode some
existing DKIM headers (e.g., from gmail).

Can anyone point me to a standalone (or integrated) utility that
accepts a DKIM header and decodes it? I have already experimented
with the checker at auth-results@.... I'm looking for
a command line utility or web page that does the same thing.

Do you know of such a utility??

Thanks!



vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
: Barry Demchak                          :
: UC San Diego                           :
: Computer Science Department            :
: https://sosa.ucsd.edu/people/bdemchak/ :
: (858) 452-8700                         :
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Hello,

I'm testing my dkim signing implementation and the following body
causes my test to fail -- the perl dkim-filter package says that
messages generated with this body are not signed properly, yet it
seems incredibly simple:

the body is:

"hi\r\n\r\n  \r\n"

By my calculations, the canonicalized body (relaxed) should be:

"hi\r\n"

So b/c the perl package says the mail is invalid -- but finds mails
geneated with other bodies valid, I think I might be canonicalizing it
incorrectly.  Any input/advice, etc., would be much appreciated.

Authentication Results

testing.dkim.org; v=0.1; dkim=fail, header.i=@*.emailmarketing.infor.com ( Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no; e mailmarketing.infor.com/rajtest fail; ); ssp=neutral, header.From=raj.kaushik@...

DKIM Processing Output

body hashes do not match for raj.kaushik@... sig=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= calc=1I7fKq+LTXdDZFKD66AYly63GkwZZ0ndgoeoq5VVKdE=

RSA-128 err: raj.kaushik@... hdrdiffs=none; bodyvfy=no; openssl=error:00000000:lib(0):func(0):reason(0); 'v=1; a=rsa-sha256; d=emailmarketing.infor.com; s=rajtest; c=simple/simple; i=@*.emailmarketing.infor.com; t=; x=; q=dns/txt; h=Date:From:To:Subject; z=; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b='

End of Message

Canonical Message

Date:'20'Thu,'20'03'20'Apr'20'2008'20'15:41:54'20'-0400'20'(EDT)'0d''0a' From:'20'raj.kaushik@...'0d''0a' To:'20'dkim-test@...'0d''0a' Subject:'20'DKIM'20'Test.'0d''0a' DKIM-Signature:'20'v=1;'20'a=rsa-sha256;'20'd=emailmarketing.infor.com;'20's=rajtest;'20'c=simple/simple;'20'i=@*.emailmarketing.infor.com;'20't=;'20'x=;'20'q=dns/txt;'20'h=Date:From:To:Subject;'20'z=;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b= This'20'is'20'test'20'body'20'for'20'DKIM.'20'Making'20'it'20'Bigger.'0d''0a' 

Original Message

From raj.kaushik@... Thu Apr 3 11:40:03 2008 Received: from nlsmtpp1.infor.com (nlsmtpp1.infor.com [194.149.81.53]) by testing.dkim.org (8.12.11/8.12.10) with ESMTP id m33Je2Bv000897 for ; Thu, 3 Apr 2008 11:40:02 -0800 Message-Id: <200804031940.m33Je2Bv000897@...> X-SBRS:
None Received: from unknown (HELO catorkaushik) ([10.35.100.89]) by nlbaxsmtp1.infor.com with ESMTP; 03 Apr 2008 21:46:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; d=emailmarketing.infor.com; s=rajtest; c=simple/simple; i=@*.emailmarketing.infor.com; t=; x=; q=dns/txt; h=Date:From:To:Subject; z=; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=Lxd9nWUXbprEQ0EnsSNSV8MthThkiwxcXqXB4/JqoBAeElbh+TwL/6tZqAshewKZegt1p8ljyJbU x6DhXtQdrlFk0npcoRzBLan7NQOFgMMrDW5ybnh9Ipf8WWbrwV1iSaLK6CjaiEi8ti0UFLJCAnUp c1up/xyEeP3jIbHyKig= Date: Thu, 03 Apr 2008 15:41:54 -0400 (EDT) From: raj.kaushik@... To: dkim-test@... Subject: DKIM Test. Authentication-Results: testing.dkim.org; v=0.1; dkim=fail, header.i=@*.emailmarketing.infor.com ( Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no; e mailmarketing.infor.com/rajtest fail; ); ssp=neutral,
header.From=raj.kaushik@... This is test body for DKIM. Making it Bigger. 

I'll comment on a few things that jumped out to me...
You might also be interested in the dkim-dev list, which (theoretically) is
more oriented toward developing DKIM-aware programs.
Jason

>>>> "rajvkau" <rajvkau@yahoo.com> 4/3/08 9:50 AM >>>
>----------------------------------------------------------
>MY INTERPRETATION
>Take the message body:
>1. Canonicalized using the body canonicalization algorithm specified
>in the "c=" tag
>2. Take the complete body (default value of "l-" tag)
>3. Signer Hashes the canonicalized message body
>4. Hash value is converted to Base64 form and inserted into signers
>(???)
>----------------------------------------------------------

inserted into the signature, yep.

>
>----------------------------------------------------------
>MY INTERPRETATION
>Say by default we are signing the following header:
>canonicalization (Date: xxx) <CRLF>
>canonicalization (From: xxx) <CRLF>
>canonicalization (To:xxxx) <CRLF>
>canonicalization (Subject:xxxx) <CRLF>
>----------------------------------------------------------

right, in the order specified by the h= tag of the signature.

>----------------------------------------------------------
>MY INTERPRETATION
>Canoncalization (DKIM-Signature: v=1; a=rsa-sha256; d=infor.com;
>s=rajtest; c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
>h=Date:From:To:Subject; z=; bh=; b=)
>----------------------------------------------------------

Well, the bh= tag should have a value when you are canonicalizing the
signature header. Only the b= tag is made blank for the purpose of
canonicalization.

>----------------------------------------------------------
>I am not sure here specs are talking about DKIM-Signature field or
>Header fields in general.
>
>From Step 2: It looks like
>canonicalization (Date: xxx) <CRLF>
>canonicalization (From: xxx) <CRLF>
>canonicalization (To: xxx) <CRLF>
>canonicalization (Subject: xxx) <CRLF>
>canonicalization (DKIM-Signature: xxx)
>
>But the following phrase seems to be contradictory.
>
> **** rather than with the rest of the header fields *****
>

That phrase makes more sense when you remember that DKIM used to use a
single hash for the entire message. So back then, it would be: canonicalize
the header fields (except the DKIM-Signature header), followed by the
message body, then finally the DKIM-Signature header.

>******************************************************************
>PSEUDO Algorithm
>
>What I am planning to do:
>
>1. Create a Signature Object [signature = Signature.getInstance
>("SHA256withRSA");]
>2. inputStreamBody = Canonicalized (body}
>3. signature.update (input StreamBody)
>4. inputStreamHeader = Canonicalized (date: xxx<CRLF>,from
>xxx<CRLF>,to xxx<CRLF>, subject: xxx<CRLF>, dkim-signature}
>5. signature.update (inputStreamHeader)
>6. byte[] decoded = signature.sign();
>7. Base64EncodedString = myBASE64Encoder(decoded);
>8. DKIM-Signature: v=1; a=rsa-sha256; d=infor.com; s=rajtest;
>c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
>h=Date:From:To:Subject; z=; bh=; b= Base64EncodedString)
>
>
>I am just wondering if my pseudo algorithm follows the specs or
>there could be a better implementation.

Before canonicalizing your dkim-signature, you need to compute the body
hash and insert its base64 value into the bh= tag of the signature.

I'll comment on a few things that jumped out to me...
You might also be interested in the dkim-dev list, which (theoretically) is
more oriented toward developing DKIM-aware programs.
Jason

>>>> "rajvkau" <rajvkau@yahoo.com> 4/3/08 9:50 AM >>>
>----------------------------------------------------------
>MY INTERPRETATION
>Take the message body:
>1. Canonicalized using the body canonicalization algorithm specified
>in the "c=" tag
>2. Take the complete body (default value of "l-" tag)
>3. Signer Hashes the canonicalized message body
>4. Hash value is converted to Base64 form and inserted into signers
>(???)
>----------------------------------------------------------

inserted into the signature, yep.

>
>----------------------------------------------------------
>MY INTERPRETATION
>Say by default we are signing the following header:
>canonicalization (Date: xxx) <CRLF>
>canonicalization (From: xxx) <CRLF>
>canonicalization (To:xxxx) <CRLF>
>canonicalization (Subject:xxxx) <CRLF>
>----------------------------------------------------------

right, in the order specified by the h= tag of the signature.

>----------------------------------------------------------
>MY INTERPRETATION
>Canoncalization (DKIM-Signature: v=1; a=rsa-sha256; d=infor.com;
>s=rajtest; c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
>h=Date:From:To:Subject; z=; bh=; b=)
>----------------------------------------------------------

Well, the bh= tag should have a value when you are canonicalizing the
signature header. Only the b= tag is made blank for the purpose of
canonicalization.

>----------------------------------------------------------
>I am not sure here specs are talking about DKIM-Signature field or
>Header fields in general.
>
>From Step 2: It looks like
>canonicalization (Date: xxx) <CRLF>
>canonicalization (From: xxx) <CRLF>
>canonicalization (To: xxx) <CRLF>
>canonicalization (Subject: xxx) <CRLF>
>canonicalization (DKIM-Signature: xxx)
>
>But the following phrase seems to be contradictory.
>
> **** rather than with the rest of the header fields *****
>

That phrase makes more sense when you remember that DKIM used to use a
single hash for the entire message. So back then, it would be: canonicalize
the header fields (except the DKIM-Signature header), followed by the
message body, then finally the DKIM-Signature header.

>******************************************************************
>PSEUDO Algorithm
>
>What I am planning to do:
>
>1. Create a Signature Object [signature = Signature.getInstance
>("SHA256withRSA");]
>2. inputStreamBody = Canonicalized (body}
>3. signature.update (input StreamBody)
>4. inputStreamHeader = Canonicalized (date: xxx<CRLF>,from
>xxx<CRLF>,to xxx<CRLF>, subject: xxx<CRLF>, dkim-signature}
>5. signature.update (inputStreamHeader)
>6. byte[] decoded = signature.sign();
>7. Base64EncodedString = myBASE64Encoder(decoded);
>8. DKIM-Signature: v=1; a=rsa-sha256; d=infor.com; s=rajtest;
>c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
>h=Date:From:To:Subject; z=; bh=; b= Base64EncodedString)
>
>
>I am just wondering if my pseudo algorithm follows the specs or
>there could be a better implementation.

Before canonicalizing your dkim-signature, you need to compute the body
hash and insert its base64 value into the bh= tag of the signature.

I'll comment on a few things that jumped out to me...
You might also be interested in the dkim-dev list, which (theoretically) is
more oriented toward developing DKIM-aware programs.
Jason


  >>>> "rajvkau" <rajvkau@...> 4/3/08 9:50 AM >>>
  >------------------------------------------------------------------
  >MY INTERPRETATION
  >Take the message body:
  >1. Canonicalized using the body canonicalization algorithm specified
  >in the "c=" tag
  >2. Take the complete body (default value of "l-" tag)
  >3. Signer Hashes the canonicalized message body
  >4. Hash value is converted to Base64 form and inserted into signers
  >(???)
  >-------------------------------------------------------------------

inserted into the signature, yep.

  >
  >------------------------------------------------------------------
  >MY INTERPRETATION
  >Say by default we are signing the following header:
  >canonicalization (Date: xxx) <CRLF>
  >canonicalization (From: xxx) <CRLF>
  >canonicalization (To:xxxx) <CRLF>
  >canonicalization (Subject:xxxx) <CRLF>
  >------------------------------------------------------------------

right, in the order specified by the h= tag of the signature.


  >-------------------------------------------------------------------
  >MY INTERPRETATION
  >Canoncalization (DKIM-Signature: v=1; a=rsa-sha256; d=infor.com;
  >s=rajtest; c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
  >h=Date:From:To:Subject; z=; bh=; b=)
  >-------------------------------------------------------------------

Well, the bh= tag should have a value when you are canonicalizing the
signature header. Only the b= tag is made blank for the purpose of
canonicalization.


  >-------------------------------------------------------------------
  >I am not sure here specs are talking about DKIM-Signature field or
  >Header fields in general.
  >
  >From Step 2: It looks like
  >canonicalization (Date: xxx) <CRLF>
  >canonicalization (From: xxx) <CRLF>
  >canonicalization (To: xxx) <CRLF>
  >canonicalization (Subject: xxx) <CRLF>
  >canonicalization (DKIM-Signature: xxx)
  >
  >But the following phrase seems to be contradictory.
  >
  > **** rather than with the rest of the header fields *****
  >

That phrase makes more sense when you remember that DKIM used to use a
single hash for the entire message. So back then, it would be: canonicalize
the header fields (except the DKIM-Signature header), followed by the
message body, then finally the DKIM-Signature header.


  >******************************************************************
  >PSEUDO Algorithm
  >
  >What I am planning to do:
  >
  >1.    Create a Signature Object [signature = Signature.getInstance
  >("SHA256withRSA");]
  >2.    inputStreamBody = Canonicalized (body}
  >3.    signature.update (input StreamBody)
  >4.    inputStreamHeader = Canonicalized (date: xxx<CRLF>,from
  >xxx<CRLF>,to xxx<CRLF>, subject: xxx<CRLF>, dkim-signature}
  >5.    signature.update (inputStreamHeader)
  >6.    byte[] decoded = signature.sign();
  >7.    Base64EncodedString = myBASE64Encoder(decoded);
  >8.    DKIM-Signature: v=1; a=rsa-sha256; d=infor.com; s=rajtest;
  >c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
  >h=Date:From:To:Subject; z=; bh=; b= Base64EncodedString)
  >
  >
  >I am just wondering if my pseudo algorithm follows the specs or
  >there could be a better implementation.

Before canonicalizing your dkim-signature, you need to compute the body
hash and insert its base64 value into the bh= tag of the signature.

RFC4871 – Section 3.7

The signer/verifier MUST compute two hashes, one over the body of
the message and one over the selected header fields of the message.

Signers MUST compute them in the order shown.  Verifiers MAY compute
them in any order convenient to the verifier, provided that the
result is semantically identical to the semantics that would be the
case had they been computed in this order.

In hash step 1, the signer/verifier MUST hash the message body,
canonicalized using the body canonicalization algorithm specified in
the "c=" tag and then truncated to the length specified in the "l="
tag.  That hash value is then converted to base64 form and inserted
into (signers) or compared to (verifiers) the "bh=" tag of the DKIM-
Signature header field.
------------------------------------------------------------------
MY INTERPRETATION
Take the message body:
1. Canonicalized using the body canonicalization algorithm specified
in the "c=" tag
2. Take the complete body (default value of "l-" tag)
3. Signer Hashes the canonicalized message body
4. Hash value is converted to Base64 form and inserted into signers
(???)
-------------------------------------------------------------------

In hash step 2, the signer/verifier MUST pass the following to the
hash algorithm in the indicated order.

1.  The header fields specified by the "h=" tag, in the order
specified in that tag, and canonicalized using the header
canonicalization algorithm specified in the "c=" tag.  Each header
field MUST be terminated with a single CRLF.

------------------------------------------------------------------
MY INTERPRETATION
Say by default we are signing the following header:
canonicalization (Date: xxx) <CRLF>
canonicalization (From: xxx) <CRLF>
canonicalization (To:xxxx) <CRLF>
canonicalization (Subject:xxxx) <CRLF>
------------------------------------------------------------------


2. The DKIM-Signature header field that exists (verifying) or
will be inserted (signing) in the message, with the value of
the "b=" tag deleted (i.e., treated as the empty string),
canonicalized using the header canonicalization algorithm specified
in the "c=" tag, and without a trailing CRLF.

-------------------------------------------------------------------
MY INTERPRETATION
Canoncalization (DKIM-Signature: v=1; a=rsa-sha256; d=infor.com;
s=rajtest; c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
h=Date:From:To:Subject; z=; bh=; b=)
-------------------------------------------------------------------

All tags and their values in the DKIM-Signature header field are
included in the cryptographic hash with the sole exception of the
value portion of the "b=" (signature) tag, which MUST be treated as
the null string. All tags MUST be included even if they might not
beunderstood by the verifier.

Include all tags in the DKIM-Signature header
Set the value of b to empty

The header field MUST be presented to the hash algorithm after the
body of the message rather than with the rest of the header fields
and MUST be canonicalized as specified in the "c="
(canonicalization) tag.

-------------------------------------------------------------------
I am not sure here specs are talking about DKIM-Signature field or
Header fields in general.

From Step 2: It looks like
canonicalization (Date: xxx) <CRLF>
canonicalization (From: xxx) <CRLF>
canonicalization (To: xxx) <CRLF>
canonicalization (Subject: xxx) <CRLF>
canonicalization (DKIM-Signature: xxx)

But the following phrase seems to be contradictory.

  **** rather than with the rest of the header fields *****

------------------------------------------------------------------

The DKIM-Signature header field MUST NOT be included in its own h=
tag, although other DKIM-Signature header fields MAY be signed (see
Section 4).


******************************************************************
PSEUDO Algorithm

What I am planning to do:

1. Create a Signature Object [signature = Signature.getInstance
("SHA256withRSA");]
2. inputStreamBody = Canonicalized (body}
3. signature.update (input StreamBody)
4. inputStreamHeader = Canonicalized (date: xxx<CRLF>,from
xxx<CRLF>,to xxx<CRLF>, subject: xxx<CRLF>, dkim-signature}
5. signature.update (inputStreamHeader)
6. byte[] decoded = signature.sign();
7. Base64EncodedString = myBASE64Encoder(decoded);
8. DKIM-Signature: v=1; a=rsa-sha256; d=infor.com; s=rajtest;
c=simple/simple; i=@*.infor.com; t=; x=; q=dns/txt;
h=Date:From:To:Subject; z=; bh=; b= Base64EncodedString)


I am just wondering if my pseudo algorithm follows the specs or
there could be a better implementation.

Anyone knows if there exists a GOOD Java implementation of DKIM.
Thanks
Raj

Hello everybody. I´m new in this group :)

Yesterday i found a DKIM Proxy at http://demo.a-
sit.at/it_sicherheit/dkim_proxy/index.html

It works with Exchange 2007 (as a smtp proxy) or any other Windows
based Mailserver very well

After some problems instead of a misstyped domainname it works fine an
the Testmail to the Reflector was successfully.

Greets Patrick