[dkim-ops] [Dkim-contact] When i switched to "g=bh", Gmail said (...)

Murray S. Kucherawy msk at sendmail.com
Tue Nov 4 17:14:24 PST 2008


Your signature header contained:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=izb.knu.ac.kr;
 	 h=message-id:date:from:mime-version:to:subject:content-type:
 	content-transfer-encoding; s=dj; bh=QiPZXJCZYs3YqbS59DQ6rAk23YbX
 	xD8YurNQDfizz78=; b=pGMXFSrqz4ad4yCTUGKdb0XtDefczz+bvyIFSTF9T7gT
 	SBXUjM/In6JXbJMLMAxDBotxWrhHP8XxTihOfcwRuxdZJhQ4TnPzKrE8qY8KKNEK
 	ojn7LMpnn4dtcwjbT4KWh12IWLCnKppgUulSgqeWwzyGtCnMxS3aPYGBlPJ7IqU=

Note that there's no "i=".  The definition of "g=" says:

    g=  Granularity of the key (plain-text; OPTIONAL, default is "*").
        This value MUST match the Local-part of the "i=" tag of the DKIM-
        Signature header field (or its default value of the empty string
        if "i=" is not specified), with a single, optional "*" character
        matching a sequence of zero or more arbitrary characters
        ("wildcarding").  An email with a signing address that does not
        match the value of this tag constitutes a failed verification.
        The intent of this tag is to constrain which signing address can
        legitimately use this selector, for example, when delegating a
        key to a third party that should only be used for special
        purposes.  Wildcarding allows matching for addresses such as
        "user+*" or "*-offer".  An empty "g=" value never matches any
        addresses.

As I read this, with "i=" not included in your signature, the only "g=" 
values that will match it are the empty string and a wildcard of "*" (or 
equivalent).  Setting "g=bh" will never match "i=".

So your choices are:

- remove the "g=" tag

- begin adding an "i=" tag that contains your mail address so that the 
test described above passes

-MSK


More information about the dkim-ops mailing list