We're sending email on behalf of other companies with the From: (company) and Sender: (us) set properly. We have DKIM (domainkeys) setup with opendkim for outgoing mail. We have the TXT record setup properly.
This setup works for all of our customers. Except one, and only (so far as we know) with yahoomail. Same setup for every outgoing email, every company, same everything. But just these emails just to yahoomail show a DK fail. All other emails for the other companies to any mail provider show a DK pass.
I checked that the customer domain doesn't have a conflicting DK setup, and they don't.
I'm really baffled. Makes no sense at all. Anyone have any ideas?
I am now just finishing 3 months of SPF experiences and 1-2 months of DKIM experiences (I'm still weak on DKIM). The stuff mostly works now, but I too have had one identifiable trouble maker, namely Gmail in my case.
I think we need a bit more info from you here. We need the "send from" domain name, the "to" domain name, and the relevant DNS zone file records of the "send from" domain name. (The "to" domain name is only needed in case Internet research has something to say about its DKIM verification efforts.)
As for (multiple) conflicting DKIM setups on one domain, that should hardly be possible as long as the "selectors" are unique.
Also note that, while DKIM usually only involves TXT records, one case I have (Fastmail) involves CNAME and TXT records.
We might ultimately need to see the received header as well.
Hartmut
On Wed 26 Oct 2022 at 23:14:54 -05:00, Trevor Cordes trevor@tecnopolis.ca wrote:
We're sending email on behalf of other companies with the From: (company) and Sender: (us) set properly. We have DKIM (domainkeys) setup with opendkim for outgoing mail. We have the TXT record setup properly.
This setup works for all of our customers. Except one, and only (so far as we know) with yahoomail. Same setup for every outgoing email, every company, same everything. But just these emails just to yahoomail show a DK fail. All other emails for the other companies to any mail provider show a DK pass.
I checked that the customer domain doesn't have a conflicting DK setup, and they don't.
I'm really baffled. Makes no sense at all. Anyone have any ideas? _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
One quick thought does come to mind. Any chance you're using 2048-bit DKIM and that Yahoo can only work with 1024-bit DKIM? I encountered that in one of my study cases, where the receiving mail system can't verify.2048-bit DKIM.
Hartmut
On Thu 27 Oct 2022 at 04:45:00 -05:00, Hartmut W Sager hwsager@marityme.net wrote:
I am now just finishing 3 months of SPF experiences and 1-2 months of DKIM experiences (I'm still weak on DKIM). The stuff mostly works now, but I too have had one identifiable trouble maker, namely Gmail in my case.
I think we need a bit more info from you here. We need the "send from" domain name, the "to" domain name, and the relevant DNS zone file records of the "send from" domain name. (The "to" domain name is only needed in case Internet research has something to say about its DKIM verification efforts.)
As for (multiple) conflicting DKIM setups on one domain, that should hardly be possible as long as the "selectors" are unique.
Also note that, while DKIM usually only involves TXT records, one case I have (Fastmail) involves CNAME and TXT records.
We might ultimately need to see the received header as well.
Hartmut
On Wed 26 Oct 2022 at 23:14:54 -05:00, Trevor Cordes trevor@tecnopolis.ca wrote:
We're sending email on behalf of other companies with the From: (company) and Sender: (us) set properly. We have DKIM (domainkeys) setup with opendkim for outgoing mail. We have the TXT record setup properly.
This setup works for all of our customers. Except one, and only (so far as we know) with yahoomail. Same setup for every outgoing email, every company, same everything. But just these emails just to yahoomail show a DK fail. All other emails for the other companies to any mail provider show a DK pass.
I checked that the customer domain doesn't have a conflicting DK setup, and they don't.
I'm really baffled. Makes no sense at all. Anyone have any ideas? _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2022-10-27 05:34, Hartmut W Sager wrote:
One quick thought does come to mind. Any chance you're using 2048-bit DKIM and that Yahoo can only work with 1024-bit DKIM? I encountered that in one of my study cases, where the receiving mail system can't verify.2048-bit DKIM.
Or the other way around. A few ESPs have been randomly reject 1024-bit DKIM-signed messages, depending on the server where it lands on their end.
-Alberto
Yeah, good point (re "the other way around"). That would be one of those "you can't win either way" cases we often have in IT.
Hartmut
On Thu 27 Oct 2022 at 08:14:35 -05:00, Alberto Abrao alberto@abrao.net wrote:
On 2022-10-27 05:34, Hartmut W Sager wrote:
One quick thought does come to mind. Any chance you're using 2048-bit DKIM and that Yahoo can only work with 1024-bit DKIM? I encountered that in one of my study cases, where the receiving mail system can't verify.2048-bit DKIM.
Or the other way around. A few ESPs have been randomly reject 1024-bit DKIM-signed messages, depending on the server where it lands on their end.
-Alberto
On 2022-10-27 Hartmut W Sager wrote:
One quick thought does come to mind. Any chance you're using 2048-bit DKIM and that Yahoo can only work with 1024-bit DKIM? I encountered that in one of my study cases, where the receiving mail system can't verify.2048-bit DKIM.
I emailed you (Hartmut) the headers privately (can do for others who want to help).
Pretty sure I'm not using 2048-bit, just the default stuff, didn't use the --bits option (manpage says default is 1k).
On 2022-10-27 Theodore Baschak wrote:
I really wouldn't be surprised to find out this is a problem on the yahoo end. I see tons of complaints about mail delivery to them on both the NANOG and mailops list.
This very well could be. We confirmed the exact same mail send to gmail passes their dkim.
I just want to make sure I'm covering all the bases on our end to ensure optimal deliverability.
Thanks!
I really wouldn't be surprised to find out this is a problem on the yahoo end. I see tons of complaints about mail delivery to them on both the NANOG and mailops list.
Theo
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: October 26, 2022 11:15 PM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] weird DKIM fail
We're sending email on behalf of other companies with the From: (company) and Sender: (us) set properly. We have DKIM (domainkeys) setup with opendkim for outgoing mail. We have the TXT record setup properly.
This setup works for all of our customers. Except one, and only (so far as we know) with yahoomail. Same setup for every outgoing email, every company, same everything. But just these emails just to yahoomail show a DK fail. All other emails for the other companies to any mail provider show a DK pass.
I checked that the customer domain doesn't have a conflicting DK setup, and they don't.
I'm really baffled. Makes no sense at all. Anyone have any ideas? _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
-
Alberto Abrao -
Hartmut W Sager -
Theodore Baschak -
Trevor Cordes