[GLLUG] British Gas DKIM failure?

Marco van Beek mvanbeek at supporting-role.co.uk
Fri Jan 12 16:20:34 UTC 2024


So first of all, as far as I can see, British Gas's DMARC policy is set 
to "reject".

BUT, the email is actually coming from MailJet, from the limited info 
below. I think what you need to check if you can, is what the name of 
the DKIM signature they are using actually is, and maybe that will give 
you some more info. I also can't see any reference to MailJet in their 
SPF, but my guess is that they are using MailJet in the envelope and 
then British Gas in the header.

And no, what MX toolbox can do in terms of DKIM is limited. It can look 
up the key, but that is about it. The DKIM tester I use require you to 
send them a test email, which you can't do.

So yes, there is a DKIM key for mailjet in their DNS, but no idea if 
they are using it correctly.

I suggest grepping your logs for "2F7612233E" as that should pull up all 
the the info related to that email from the point Postfix accepts the 
connection until it closes, and see if that tells you some more.



On 12/01/2024 15:48, Henrik Morsing via GLLUG wrote:
> Good afternoon,
> Not dircetly Linux, sorry, but British Gas has spent the last year 
> sending me letters saying they can't email me. When I look into it, 
> their emails are rejected based on a bad DKIM signature.
> The problem is, not receiving the email, how can I find out what the 
> problem is? mxtoolbox says their setup is fine, but that surely can't 
> check the signature inside one of their emails.
> What is slightly odd is that DMARC policy is set to none, so shouldn't 
> reject anything anyway.
> I can't say I'm a DKIM/DMARC expert, but this is what I see:
> Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet 
> d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa 
> routines:int_rsa_verify:bad signature
> Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk 
> fail
> Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: 
> milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[]: 
> 5.7.1 rejected by DMARC policy for britishgas.co.uk; 
> from=<296f63a1.CAAABPhWdncAAAAAAAAAAKg7aSYAAYCqUv4AAAAAABBDggBlhYBF at a1065858.bnc3.mailjet.com> 
> to=<morsing at morsing.cc> proto=ESMTP helo=<o94.p12.mailjet.com>
> Not sure where to go from here though. Smells like their problem to 
> me, but I don't want to tell them that without proof. Any hints?
> Regards,
> Henrik Morsing

More information about the GLLUG mailing list