[GLLUG] British Gas DKIM failure?

Carles Pina i Estany carles at pina.cat
Sun Jan 28 00:42:20 UTC 2024


On 27 Jan 2024 at 18:08:36, Henrik Morsing via GLLUG wrote:
> I'm now getting the same from the Land Registry:
> Jan 27 18:05:24 emil postfix/smtpd[734113]: DA88621F91: client=d218-4.smtp-out.eu-west-2.amazonses.com[]
> Jan 27 18:05:24 emil postfix/cleanup[734121]: DA88621F91: message-id=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000000 at eu-west-2.amazonses.com>
> Jan 27 18:05:24 emil opendkim[768]: DA88621F91: d218-4.smtp-out.eu-west-2.amazonses.com [] not internal
> Jan 27 18:05:24 emil opendkim[768]: DA88621F91: not authenticated
> Jan 27 18:05:25 emil opendkim[768]: DA88621F91: message has signatures from accounts.landregistry.gov.uk, amazonses.com
> Jan 27 18:05:25 emil opendkim[768]: DA88621F91: s=s7vtg5zfwt6jcj77lxzbi3rmck6i6vrp d=accounts.landregistry.gov.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature
> Jan 27 18:05:25 emil opendkim[768]: DA88621F91: bad signature data

DKIM (signature from the server) for this email is not valid. Why? I
think (this is a copy-paste from a... ChatGPT conversation):

    Email Tampering: The email content might have been altered in transit, causing a mismatch between the content and the signature.
    Incorrect Signature: The sender's mail server might have incorrectly signed the email, possibly due to a misconfiguration.
    DKIM Record Issues: There could be issues with the DKIM public key record in the DNS. This might include errors in the DNS entry or propagation delays.
    Header Modification: Some intermediate mail servers might modify headers, which can invalidate the DKIM signature.

> Jan 27 18:05:25 emil opendmarc[1652567]: DA88621F91: accounts.landregistry.gov.uk fail
> Jan 27 18:05:25 emil postfix/cleanup[734121]: DA88621F91: milter-reject: END-OF-MESSAGE from d218-4.smtp-out.eu-west-2.amazonses.com[]: 5.7.1 rejected by DMARC policy for accounts.landregistry.gov.uk; from=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000000 at eu-west-2.amazonses.com> to=<morsing at morsing.cc> proto=ESMTP helo=<d218-4.smtp-out.eu-west-2.amazonses.com>

Their DMARC policy can be seen here:

It says that if DKIM fails it should be rejected (strict mode). Your
opendmarc does this.

> I wish there was a test I could do to check what is actually wrong...

I don't remember, do you control your own postfix mail setup?

Two ideas:
-disable opendmarc - so an invalid dkim would still be allowed. I think
that this is a setup that I have. Spamassassin still give good/bad
points I think based on DKIM_INVALID, etc. if you used something like

-Check opendmarc configuration. I don't have it handy but
(so, man 5 opendmarc) suggests "CopyFailuresTo" where, somehow, maybe
you could keep the failures somewhere? See them, check then manually the
DKIM signature? It also has FailureReportsBcc, maybe even IgnoreHosts
might be interesting?

I haven't used the opendmarc options. I'd be interested in knowing how
you get on.


> Regards,
> Henrik Morsing
> On Fri, Jan 12, 2024 at 03:48:17PM +0000, Henrik Morsing via GLLUG wrote:
> > 
> > Good afternoon,
> > 
> > Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature.
> > 
> > The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails.
> > 
> > What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway.
> > 
> > I can't say I'm a DKIM/DMARC expert, but this is what I see:
> > 
> > Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature
> > Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail
> > Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.CAAABPhWdncAAAAAAAAAAKg7aSYAAYCqUv4AAAAAABBDggBlhYBF at a1065858.bnc3.mailjet.com> to=<morsing at morsing.cc> proto=ESMTP helo=<o94.p12.mailjet.com>
> > 
> > Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints?
> > 
> > Regards,
> > Henrik Morsing
> > -- 
> > 
> > 
> > -- 
> > GLLUG mailing list
> > GLLUG at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/gllug
> -- 
> -- 
> GLLUG mailing list
> GLLUG at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gllug
Carles Pina i Estany
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20240128/ca87ba59/attachment.sig>

More information about the GLLUG mailing list