DKIM signature rejected

Jan Eden tech at eden.one
Fri Feb 21 14:27:26 UTC 2025 

Hi Matthias,

On 2025-02-21 13:28, Matthias Apitz wrote:

> El día jueves, febrero 20, 2025 a las 08:40:46a. m. -0800, googly.negotiator862 at aceecat.org escribió:
> 
> > > I've got a reject of an email to a public PostgreSQL mailing list
> > > due to an issue with my DKIM signature. Attached below. I've sent a
> > > test email to my company mailbox to see my resulting DKIM
> > > signature. It's:
> > 
> > > What could be wrong with this and how do I fix this. mutt is sending
> > > the mail to the SMTP server of my provider 1blu, i.e.  I have in
> > > ~/.muttrc:
> > 
> > Just read the reply carefully:
> > 
> > > This email has a DKIM signature on the List- headers of the email,
> > > indicating that it is not allowed to pass this email on through a
> > > mailinglist.
> > 
> > The DKIM signature header you quote shows that you're signing over the
> > List-* headers. You -- or your SMTP server -- should not do that.
> > 
> > If you can't change that, you could try a public remailer of some sort.
> > 
> > Btw, I had exactly this problem with the postgresql-general mailing
> > list too. But I run my own mail server, so the fix was easy.
> 
> I have access to the DNS configuration at the server of my ISP for the
> zone 'unixarea.de'. See attached screen. Some years ago I've added there
> this this because I couldn't sent mails anymore to gmail:
> 
> $ host -t txt unixarea.de
> unixarea.de descriptive text "v=spf1 ip4:178.254.4.101 a:unixarea.de -all"
> 
> I see there something DKIM related, which was not inserted by me and
> must be relatively new. The line says:
> 
> v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEiF06k04ltYm1C53caXqEu+6wlR9MetdGnjUUX4P+tlkRYEU8t+xYMuTknhZ+96C2V1Eol8iU81YxxW3pogXHuSITZuYiwFoZ2LvmiCJvswUDGgCqQJhqHA1K7+M4AE15bV/mwCqwQRI/UGhEvRtdens+F+lYhf7IEsELI2W7/pr5AovtP3NQWgMI/4eLNDJtQOvTBGESexiWqsUweAYUrW80xchEUlWE2pvhLwF61DP3YcIhbfHMIxw/KkFw4QIk2/r50y8bM70aQIY6EhcoFnh1FquG3P4TRs/W1E5d+wZtuPpRzOtHJKq9ayTDNO7J5GRAis9J+NmSucJFomYQIDAQAB
> 
> but there is nothing List-* related or is this encrypted in the p=....
> value? Any mail I do send has this DKIM-signature which is added by my
> ISP 1blu as the s=blu3434000 shows:

The DNS entry contains the public key to verify your DKIM signatures,
but the signature is applied by the mailserver (using the DKIM private
key). I am not sure how 1blu handles this and whether you can ask them
to change the signing configuration with respect to the included
headers.

> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de
>         ; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version:
>         Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
>         Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
>         :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
>         List-Subscribe:List-Post:List-Owner:List-Archive;
>         bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=evptchc8isl0uD+RpFR+iPUP1z
>         Fsx3N3+Hy1JPLQlNuGuHzKZA460Lgd/X+ZZQfp/LQVvcVVWfvMPXOOoNz9ANhTJPCfhAtfu0zit2a
>         Xozgq0bH66Ig2PNNayGDoz+BOocDLTqT87Ue9O+OOYp5VXrV2r3xFdwPMI5rmSklhECwQiMMgpfb2
>         Hnp1yOfjq5W9JdHjYCbMPFWCR+4BCyfPzUCKRJDN/txoUMTHr73Ip0S95QAhw1cT++2zGHeIv9Sdv
>         3G+bZxy/UpIRg0WMmD6P+04gNjxGBWlOu8YukSX/g3k1sYiBpnbKnh5NdWI/ZPpS5S+WQAqbzteWS
>         dhKhQmVw==;
> 
> Should I just delete this TXT entry in the DNS config?

No, without the DNS entry, the signature cannot be verified.

- Jan

More information about the Mutt-users mailing list