best way to get at DKIM fail info / selector?

best way to get at DKIM fail info / selector?

Postby EKjellquist » Thu Nov 21, 2024 4:20 pm

Pretty new to DMARC / DKIM, but one thing I'm running into is assisting mail senders with helping correct their DNS issues relative to antispam controls. We normally get a few SPF failures for senders here and there (particularly new customers), that are easy enough to whitelist as they have a consistently good domain / no issues with malware / spoofing. If a SPF rejection occurs I can grab the domain's TXT record and usually find syntax or RFC violations for them to fix it.

With DKIM however, I need to know which selector they used when signing their email; if a failure occurs, the SMTP log just records that failure but no details; I'm wondering if either of the two possibilities below make sense:

(1) include a separate DKIM log where incoming / outgoing could be checked (as with other log options), and be able to record the public DKIM record specified by (for SMTP) the incoming email and (for outgoing mail) the one used by AMS to sign sent mail.

(2) just include the selector used upon DKIM check (regardless of success / failure) in SMTP logs, so the record on a fail / permerror could be something like

Wed, 20 Nov 2024 17:24:59 -> 40.107.92.116 -> Failed: Action=[DKIM], Details=[Result=FAIL, Selector=<selector>]

There are a couple of sites that do archive past DKIM records, but so far they've largely been unhelpful - I don't necessarily want to quarantine rather than reject DKIM fails/permerrors as bad mails would be expected to have this behavior also, but for 'legit' senders I need the selector value to be able to look up their record, and I don't have the header without turning on debugging for the entire SMTP log, which is...well a bit much for what i ultimately need ;) not sure if the info is available in ####DKIMRESULTDETAIL####?

Being able to, say, log the header for any DKIM fails / permerrors in a separate log file with the full header would be perfect, not sure if that can be easily done with the custom events SPAM-DKIM-FAIL and SPAM-SPF-PERMERROR?
EKjellquist
 
Posts: 99
Joined: Tue Sep 09, 2014 10:40 pm

Re: best way to get at DKIM fail info / selector?

Postby Code Crafters » Fri Nov 22, 2024 9:18 am

It seems the best solution here is to make sure we log the selector and domain used for DKIM signing and verification (if available) for SMTP and Outgoing Mail logs. Then you can check selector._domainkey.domain to make sure it's not just a DNS setup issue. Note the domain doesn't have to match the SMTP From domain although it usually does. I've put this on our feature request list to go into the next update.

The ####DKIMRESULTDETAIL#### gives the reason for the fail but doesn't include the selector. or domain. If you reject the email, this will be part of the reject message. If you don't reject, you can use SPAM flag and/or custom events and include this tag via content filtering but it's recommended to reject for DKIM / SPF failures at the SMTP rather than deliver and filter later, unless you expect any false positives that you want to monitor and improve on.

Invalid DNS setup is only one reason for a fail though. Here are a list of the possible values for field tags:

####DKIMRESULT####

NONE
TEMPERROR
PERMERROR
PASS

and the ####DKIMRESULTDETAIL#### for more specific details for each of these

NONE
- Invalid email format
- No DKIM-Signature header

TEMPERROR
- No DNS servers found

PERMERROR
- Invalid DKIM-Signature header
- Invalid DKIM-Signature header tags
- No DNS records found
- Invalid DNS records found
- Invalid body hash
- Invalid signature

PASS
- DNS Test Mode
- Valid Signature

See the following for more information on setting up DKIM records:

https://www.codecrafters.com/AbilityMailServer/Support/TutorialDomainAndDNS#dkim-records
https://www.codecrafters.com/AbilityMailServer/Support/TutorialSPAM#domainkeys-identified-mail
https://www.codecrafters.com/AbilityMailServer/Support/OutgoingMail#dkim
Code Crafters
 
Posts: 949
Joined: Mon Sep 10, 2007 2:35 pm

Re: best way to get at DKIM fail info / selector?

Postby Code Crafters » Wed Nov 27, 2024 9:07 am

Looking at the code, adding the selector to Outgoing Mail logs for signing is simple; the domain is already logged on success and it's easy to log both for success and failure. However, for verification (SMTP and POP3 retrievals), there can be multiple DKIM-Signature header lines. When there are, we process all and take the best result. In this case, we'd have to add some code to make sure we log the selector and domain for the header line that yielded the most successful DKIM result. I've added this to our feature request list to hopefully go into the next update.
Code Crafters
 
Posts: 949
Joined: Mon Sep 10, 2007 2:35 pm

Re: best way to get at DKIM fail info / selector?

Postby EKjellquist » Fri Dec 06, 2024 7:36 pm

Yeah, particularly if ####DKIMRESULTDETAIL#### for permerrors gives which of those 6 conditions caused it, putting in which of them it was in the SMTP log would likely be all i'd need, along with the selector. I COULD send myself a notification email for these to grab results, but then i'd get them for a LOT of known spams as well :( Mostly it would help in assisting legit senders fix whatever the specific condition was, and narrowing it down would be a big help. A lot of these tend to be MSP / hosted mail solutions where the actual users have 0 control over configurations and/or don't know much about email mechanics, and pointing them in the right direction quickly is something i tend to do fairly frequently with SPF issues for their domain already.
EKjellquist
 
Posts: 99
Joined: Tue Sep 09, 2014 10:40 pm

Re: best way to get at DKIM fail info / selector?

Postby Code Crafters » Mon Dec 09, 2024 9:00 am

You can use content filtering to log these failures to a custom log already. You can also use this to email an account and place the email automatically in a different folder so they're not too intrusive.

However, we've already added the DKIM detail to the SMTP / POP3 retrieval logs for the next update as that's very easy to do.

We'll try to add the selector and domain too. Because there are multiple DKIM-Signature records, we use the most successful of these so we'll need to add more code to log the right selector and domain for the result that's used too.
Code Crafters
 
Posts: 949
Joined: Mon Sep 10, 2007 2:35 pm

Re: best way to get at DKIM fail info / selector?

Postby Code Crafters » Fri Dec 13, 2024 10:46 am

We've released Ability Mail Server 6.0.2 which adds new tags for DKIM selector and domain as well as logging DKIM result, detail, selector and domain as you requested.

While testing these new DKIM changes, we found a major DKIM bug which meant that FAIL responses weren't being handled, therefore treating them like a PASS so make sure you get this update ASAP.

Please see https://www.codecrafters.com/AbilityMailServer/Support/UpdateHistory for full details of this update.
Code Crafters
 
Posts: 949
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron