[dkim-ops] [Dkim-contact] When i switched to "g=bh", Gmail said (...)
Murray S. Kucherawy
msk at sendmail.com
Tue Nov 4 17:14:24 PST 2008
Your signature header contained:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=izb.knu.ac.kr;
content-transfer-encoding; s=dj; bh=QiPZXJCZYs3YqbS59DQ6rAk23YbX
Note that there's no "i=". The definition of "g=" says:
g= Granularity of the key (plain-text; OPTIONAL, default is "*").
This value MUST match the Local-part of the "i=" tag of the DKIM-
Signature header field (or its default value of the empty string
if "i=" is not specified), with a single, optional "*" character
matching a sequence of zero or more arbitrary characters
("wildcarding"). An email with a signing address that does not
match the value of this tag constitutes a failed verification.
The intent of this tag is to constrain which signing address can
legitimately use this selector, for example, when delegating a
key to a third party that should only be used for special
purposes. Wildcarding allows matching for addresses such as
"user+*" or "*-offer". An empty "g=" value never matches any
As I read this, with "i=" not included in your signature, the only "g="
values that will match it are the empty string and a wildcard of "*" (or
equivalent). Setting "g=bh" will never match "i=".
So your choices are:
- remove the "g=" tag
- begin adding an "i=" tag that contains your mail address so that the
test described above passes
More information about the dkim-ops