DKIM Verification

I realize that UTM seems to do nothing with DKIM results, but it does check the validity of every DKIM signature on every message.    Recently, I have begun analyzing my logs for DKIM verification success and failure.    The results are surprising -- I have much higher failure rates than expected.

These results are based on 768 unique domains, on signed messages,

received over a few adjacent days.  Messages that were blocked for any

reason are excluded from the analysis.

 

22  2.9% have DKIM signatures but fail verification 100%

15   2.0% have some DKIM verification failures

 

 7    0.9% have 100% rejection due to DNS record syntax errors

 1   0.1% have some rejections due to DNS record syntax errors

 

10  1.3% have 100% DKIM TXT lookup failures

  1 0.1% have some DKIM TXT lookup failures

---  ----

57  7.3%  have DKIM problems

Of course, there are three possibilities when a DKIM verification failure occurs:

- The message was modified in transit.
- The receiving system has a verification software error.
- The sending system has a signature creation software error.

The working assumption is that software errors will be rare.   In my data set, I see no reason to suspect problems caused by message modification, and I have three ways of checking
signatures on received mail.   So I suspect that the problems are caused by bugs in the sender's signature algorithm.   Because some of the problems are inconsistent, I suspect that the
problems are caused by data-sensitive bugs.

I also found evidence of a probable data-sensitive bug in one of my own mail servers' DKIM signature algorithm.   Unfortunately, I need to upgrade that vendor's software before I can get the vendor interested in debugging, and the
upgrade process will take a few weeks to complete.

This data raises questions about the integrity of the software libraries used for DKIM.   If they are unreliable at either end of the communication path, email filtering based on DKIM becomes unreliable.  (And I do hope to filter on DKIM verification results at some point in the future.)

I am attempting to contact a few senders to see if I can confirm a root cause.   In the interim, I am hoping that others will undertake similar research and report your results on this topic.

  • Emails from 207 domains seen by our UTM earlier this month.  200 domains had DKIM that "succeeded" and 6 "failed."  6 domains' emails' DKIMs were "invalid" for either lacking a DKIM record or having one with invalid syntax.  The failed emails all were "[verification failed - signature did not verify (headers probably modified in transit)]." One of the domains with DKIM failed emails is a client of mine that I'm currently working with on a small project.  Once I learn what their issue was, I'll post back here.

    In any case, this reminded me that there's no option to reject or quarantine emails that aren't successfully verified.  Please vote for and comment on Add options to reject or quarantine emails that fail or have invalid DKIM.

    Cheers - Bob