best way to get at DKIM fail info / selector?

[EKjellquist]

Pretty new to DMARC / DKIM, but one thing I'm running into is assisting mail senders with helping correct their DNS issues relative to antispam controls. We normally get a few SPF failures for senders here and there (particularly new customers), that are easy enough to whitelist as they have a consistently good domain / no issues with malware / spoofing. If a SPF rejection occurs I can grab the domain's TXT record and usually find syntax or RFC violations for them to fix it.

With DKIM however, I need to know which selector they used when signing their email; if a failure occurs, the SMTP log just records that failure but no details; I'm wondering if either of the two possibilities below make sense:

(1) include a separate DKIM log where incoming / outgoing could be checked (as with other log options), and be able to record the public DKIM record specified by (for SMTP) the incoming email and (for outgoing mail) the one used by AMS to sign sent mail.

(2) just include the selector used upon DKIM check (regardless of success / failure) in SMTP logs, so the record on a fail / permerror could be something like

Wed, 20 Nov 2024 17:24:59 -> 40.107.92.116 -> Failed: Action=[DKIM], Details=[Result=FAIL, Selector=<selector>]

There are a couple of sites that do archive past DKIM records, but so far they've largely been unhelpful - I don't necessarily want to quarantine rather than reject DKIM fails/permerrors as bad mails would be expected to have this behavior also, but for 'legit' senders I need the selector value to be able to look up their record, and I don't have the header without turning on debugging for the entire SMTP log, which is...well a bit much for what i ultimately need not sure if the info is available in ####DKIMRESULTDETAIL####?

Being able to, say, log the header for any DKIM fails / permerrors in a separate log file with the full header would be perfect, not sure if that can be easily done with the custom events SPAM-DKIM-FAIL and SPAM-SPF-PERMERROR?

[Code Crafters]

It seems the best solution here is to make sure we log the selector and domain used for DKIM signing and verification (if available) for SMTP and Outgoing Mail logs. Then you can check selector._domainkey.domain to make sure it's not just a DNS setup issue. Note the domain doesn't have to match the SMTP From domain although it usually does. I've put this on our feature request list to go into the next update.

The ####DKIMRESULTDETAIL#### gives the reason for the fail but doesn't include the selector. or domain. If you reject the email, this will be part of the reject message. If you don't reject, you can use SPAM flag and/or custom events and include this tag via content filtering but it's recommended to reject for DKIM / SPF failures at the SMTP rather than deliver and filter later, unless you expect any false positives that you want to monitor and improve on.

Invalid DNS setup is only one reason for a fail though. Here are a list of the possible values for field tags:

####DKIMRESULT####

NONE
TEMPERROR
PERMERROR
PASS

and the ####DKIMRESULTDETAIL#### for more specific details for each of these

NONE
- Invalid email format
- No DKIM-Signature header

TEMPERROR
- No DNS servers found

PERMERROR
- Invalid DKIM-Signature header
- Invalid DKIM-Signature header tags
- No DNS records found
- Invalid DNS records found
- Invalid body hash
- Invalid signature

PASS
- DNS Test Mode
- Valid Signature

See the following for more information on setting up DKIM records:

https://www.codecrafters.com/AbilityMailServer/Support/TutorialDomainAndDNS#dkim-records
https://www.codecrafters.com/AbilityMailServer/Support/TutorialSPAM#domainkeys-identified-mail
https://www.codecrafters.com/AbilityMailServer/Support/OutgoingMail#dkim