22 Dec
2014
22 Dec
'14
5:18 p.m.
Authentication-Results: itmustbe.luv.asn.au; dkim=fail
reason="verification failed; insecure key"
header.d=coker.com.au header.i=(a)coker.com.au header.b=rEa8/tpR;
dkim-adsp=discard (insecure policy); dkim-atps=neutral
The above is from the headers of one of the messages I sent to the list. The
"insecure key" part refers to the fact that I'm not using DNSSEC. I am now
working on installing DNSSEC (which might take some time if my registrar
doesn't support it).
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
22 Dec
22 Dec
6:40 p.m.
On Mon, 22 Dec 2014 05:18:45 PM Russell Coker wrote:
The above is from the headers of one of the messages I
sent to the
list. The "insecure key" part refers to the fact that I'm not using
DNSSEC.
I'm not sure that's right, I'm not using DNSSEC either and my emails to the
list do not get those headers attached.
I thought DKIM was orthogonal to DNSSEC.
--
Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
7:13 p.m.
On Mon, 22 Dec 2014, Chris Samuel <chris(a)csamuel.org> wrote:
On Mon, 22 Dec 2014 05:18:45 PM Russell Coker wrote:
Which messages are you referring to? The message I'm replying to has no DKIM
headers.
The above is from the headers of one of the
messages I sent to the
list. The "insecure key" part refers to the fact that I'm not using
DNSSEC.
I'm not sure that's right, I'm not using DNSSEC either and my emails to the
list do not get those headers attached. I thought DKIM was orthogonal to DNSSEC.
Not really. If you can fake someone's DNS then you can fake a DKIM record to
allow forged signatures or fake the absence of DMARC etc records to allow
unsigned mail through.
Anyway it's apparently only certain versions of OpenDKIM that give the error
in question.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
7:36 p.m.
On Mon, 22 Dec 2014 07:13:57 PM Russell Coker wrote:
OK, to me that's orthogonal. They don't rely on them to function but help you
have confidence in the results.
Which messages are you referring to? The message
I'm replying to has no
DKIM headers.
The ones in your email that I replied to (and in the header of the email I'm
replying to now). :-)
I thought DKIM
was orthogonal to DNSSEC.
Not really. If you can fake someone's DNS then you can fake a DKIM record
to allow forged signatures or fake the absence of DMARC etc records to
allow unsigned mail through. Anyway it's apparently only certain versions of
OpenDKIM that give the error
in question.
OK, good luck fixing it!
--
Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
3021
days inactive
3021
days old
3 comments
2 participants
participants (2)
-
Chris Samuel -
Russell Coker