Join Log in
Score:0
Stuck avatar Server

why is this DMARC failing verification?

kp flag
Stuck

I get a 6.1/10 score on mail-tester.com, where the DMARC verification is the only relevant penalty (-3).

* Your DKIM signature is valid

* Your message failed the DMARC verification
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

You are not allowed to send a message with this address

DMARC DNS entry found for the domain _dmarc.mail.example.com:

"v=DMARC1;p=reject;rua=mailto:[email protected]"
Verification details:

mail-tester.com; dmarc=fail header.from=mail.example.com
mail-tester.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mail.example.com [email protected] header.b=MVNy47/y; dkim-atps=neutral
From Domain: mail.example.com
DKIM Domain: mail.example.com

The email is sent via a payed mailjet account via SMTP relay.

This is my DNS config and mailjet reports DKIM and SPF as "ok":

@                        IN TXT "v=spf1 include:_spf.google.com ~all"
_dmarc.example.com.      IN TXT "v=DMARC1;p=none;sp=none;pct=50;adkim=r;aspf=r;"
_dmarc.mail              IN TXT "v=DMARC1;p=reject;rua=mailto:[email protected]"
default2103._domainkey   IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBTlvBdpQXS3+g6rPM4fd" "O5EFHrt6EDRS6HMAzf4yYVsp9JwC145ftSzmw/qwdeW3c+JlwvqAipM2qf//A4HG/tpxV9ASX7Qa" "Yew6QlngiXB+T/ih37NrgUE0B2sUpijQ0n5mVd3sAstOQNPhyg5JeWOiJLLJS7xWbu/zwJ+WMB8h" "Phl5ZLrtfscsB56EawBJS/spGTKdOcq6aNm1yPUYvnWQsbWziuV9Y7NLb1yapauks1Yxug75HA12" "Zf7YTuaHPXuK+BSOSEzSUd5R/Fk7UZ1Ba1uX/OdcNKxZtaI0oYePHp9xzSMlWrj2RGbQP9WCKA0R" "HPHEKIwchsqXbIW6QIDAQAB" 
mail                     IN TXT "v=spf1 include:spf.mailjet.com -all"
mailjet._bf00f643.mail   IN TXT bf00f643e7c8377f55faab9307581acd
mailjet._domainkey.mail  IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs9LUxwgF8P0uV+ulltAAyITc3aRqgsAVlr2ZygTnuYJQ10gSPU2M7NAKJTck3P10F8F49t2BnBYsKzUo4AHlZ7V5kafYu3c9Gd50TfcMyqbGB1CL+ITfRxxh3opTTMZAvcCv/EpH9+dG1iw1a1ahZHTC2TvfF6k0thbIWjWIgQwIDAQAB"
@                   3600 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 1 ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.

I replaced the actual domain with example.com. The main domain is used by google workspaces but mail.exmaple.com is used for transactional emails. I am trying to send via mail.example.com .

This is the email:

Received: by mail-tester.com (Postfix, from userid 500)
    id 4C207A988D; Tue, 27 Jul 2021 16:51:48 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-tester.com
X-Spam-Level: 
X-Spam-Status: No/0.9/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
    HEADER_FROM_DIFFERENT_DOMAINS=0.249,HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.635,MIME_HTML_ONLY=0.1,SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001,URIBL_BLOCKED=0.001
X-Spam-Last-External-IP: xx.xxx.xxx.xxx
X-Spam-Last-External-HELO: o123.p8.mailjet.com
X-Spam-Last-External-rDNS: o123.p8.mailjet.com
X-Spam-Date-of-Scan: Tue, 27 Jul 2021 16:51:48 +0200
X-Spam-Report: 
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
    *      blocked.  See
    *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: mjt.lu]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
    *      mail domains are different
    *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *       valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    *      author's domain
    *  0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
    *      tag
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=xx.xxx.xxx.xxx; helo=o123.p8.mailjet.com; [email protected]; [email protected] 
DMARC-Filter: OpenDMARC Filter v1.3.1 mail-tester.com 9F060A988C
Authentication-Results: mail-tester.com; dmarc=fail header.from=mail.example.com
Authentication-Results: mail-tester.com;
    dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mail.example.com [email protected] header.b=MVNy47/y;
    dkim-atps=neutral
Received: from o123.p8.mailjet.com (o123.p8.mailjet.com [xx.xxx.xxx.xxx])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mail-tester.com (Postfix) with ESMTPS id 9F060A988C
    for <[email protected]>; Tue, 27 Jul 2021 16:51:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=mail.example.com; [email protected]; s=mailjet;
  h=message-id:mime-version:from:reply-to:to:subject:date:list-unsubscribe-post:
  list-unsubscribe:feedback-id:x-csa-complaints:x-mj-mid:x-mj-smtpguid:
  x-report-abuse-to:content-type:content-transfer-encoding;
  bh=TIkRui7Va59h4geTtPXAKHua6pDPeJyum82T2lGo2Ww=;
  b=MVNy47/y6hs1gHGz8eiJlWuG18UsJ/Fhxa5vf7K5tDJt1jSfpePjd2YCb
 N1jbcfPt57l77VjSd8+vcwC2g5+yWyBHfkTuF8F7fGA9Vgn740zOLpMVjxlx
 PX71Bkay8jB4kG7Shtpus9XU+/a9WN5E9ygqWReclkE7X3uNqd78pQ=
Message-Id: <[email protected]>
MIME-Version: 1.0
From: Example <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: Example Registrierung
Date: Tue, 27 Jul 2021 14:51:38 +0000
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe:
    <mailto:xxxxx.mailjet.com>,
    <https://xxxxxxxxxxxxxxxxx>
Feedback-Id: 42.1636236.1611053:MJ
X-CSA-Complaints: [email protected]
X-MJ-Mid:
    xxxxxxx
X-MJ-SMTPGUID: 4c0f08ce-7ed4-457b-9f60-fdf493ab9e3e
X-REPORT-ABUSE-TO: Message sent by Mailjet please report to
    [email protected] with a copy of the message
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I don't understand why the verification is failing and what I can do about it? Other tools dmarcanalzer say the configuration is fine.

EDIT

Sending a mail to a gmail account it goes to spam. Showing the "original message" in gmail, however, reports "pass" for SPF, DKIM and DMARC:

gmail reports "pass" for SPF, DKIM and DMARC

1650
1 + 7
spf
anx avatar
fr flag
anx
see also: [Is it wrong to leave out the “v=DKIM1;” on a DKIM record?](https://serverfault.com/questions/892685/is-it-wrong-to-leave-out-the-v-dkim1-on-a-dkim-record)
0
Reply
us flag
glts
Something doesn’t add up here. mail-tester.com and SpamAssassin say the DKIM signature is valid, but the `Authentication-Results` header in the message shows ‘signature verification failed’ for DKIM. Which is it? Since you are sending via an intermediary, you *must* make sure your DKIM signature is tiptop. We cannot check that for you.
0
Reply
Stuck avatar
kp flag
Stuck
@glts could you elaborate how I can make this? We send via Mailjet and the provided DKIM signature was added to the DNS exactly as provided by mailjet as shown in the question. The mail is sent, so authentication with mailjet should not be a problem. I dont understand the question "which is it?" - what exactly do you refer to?
0
Reply
us flag
glts
@Stuck I was referring to the different results, is the signature now valid or is it invalid? Typically, when you set up DKIM correctly, all mail testing services will give the same answer, DKIM ‘passes’, the signature ‘is valid’. This is not the case here. You must make sure that you have a working DKIM key pair (public key in DNS, private key at mail sender) and that signatures are generated properly. If mailjet produces invalid signatures you will need to talk to them.
0
Reply
us flag
glts
I would also recommend trying various other email testing services. If the failure happens only with mail-tester.com, it might be a problem on their end after all.
0
Reply
Stuck avatar
kp flag
Stuck
@glts thanks for the follow up. Other services report that the setup is ok. However, mail is going to spam and we cannot find any problem else than this one :-/ I will check in with mailjet support.
0
Reply
Stuck avatar
kp flag
Stuck
also I added the gmail report of a mail that goes to spam - it shows that dkim, spf and dmarc all pass. So maybe mail-tester is just wrong?
0
Reply
Score:3
avatar Server
es flag
Morten Nilsen

the reason is this: (1024-bit key; unprotected) You simply need to replace your DKIM key with a 2048 bit one, and you should be good to go.

Hope that helps ^_^

0 + 1
Stuck avatar
kp flag
Stuck
Mailjet support answered, that they do not support 2048 bit DKIM :-( But is it correct, that this is a minor issue for now - even though mail-tester gives it a -3?
0
Reply
cn flag
Alexis Wilke
Mine says `(2048-bit key; unprotected)`. Does that mean we now need 4096 bit keys?! Or is that from the other side?
0
Reply
es flag
Morten Nilsen
As far as I know, 2048 bit keys are still secure, so your issue must be something else. I'd need more information to be able to give advice.
0
Reply
Stuck avatar
kp flag
Stuck
We finally switched the provider and the new provider does support 2048 and the issue is solved. After getting in-touch with the Mailjet support again they maybe provide 2048 dkim for enterprise accounts only. There is a user vote issue for general availability but it is several years old already without progress: https://feedback.mailjet.com/forums/931474-feature-requests/suggestions/41854546-2048-bits-dkim-public-key
0
Reply
ve flag
Mikko Rantalainen
Does anybody know what's the difference between `(1024-bit key; unprotected)` and `(1024-bit key; insecure key)` when DKIM fails?
0
Reply
es flag
Morten Nilsen
It's not dnssec signed.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.