[dkim-ops] Yahoo/BellSouth configuration
Murray S. Kucherawy
msk at cloudmark.com
Wed Aug 26 09:22:13 PDT 2009
> -----Original Message-----
> From: dkim-ops-bounces at mipassoc.org [mailto:dkim-ops-
> bounces at mipassoc.org] On Behalf Of Allan E. Johannesen
> Sent: Wednesday, August 26, 2009 8:37 AM
> To: dkim-ops at mipassoc.org
> Cc: aej at wpi.edu
> Subject: [dkim-ops] Yahoo/BellSouth configuration
> I turned off the DKIM filter, since I can't see the message until I do
> A message from them to me had this header:
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net;
> s=s1024; t=1251295577; bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=;
> The problem is that bellsouth.net has no selector named s1024.
> yahoo.com does:
> So, my question is about how our DKIM filter is supposed to know to
> yahoo.com when given a domain of bellsouth.com in the DKIM-Signature
> Is there a newer version than dkim-milter-2.8.3 which might understand
> some new
> magic about how to translate domain names given in the DKIM header?
My guess is Yahoo! is providing mailbox service for Bellsouth. They send mail on behalf of bellsouth.net and are signing that mail with DKIM, but are changing the "d=" to match the sending domain while still using their own keys. This causes verifiers to (correctly!) go to bellsouth.net's DNS servers to get the key but, as you've observed, it's not there, which makes verification impossible.
There's no magic to apply here. The verifier is doing what the signer told it to do, but what the signer said is unfortunately invalid.
Your best bet until this gets straightened out is to relax what the filter does in response to key retrieval failures. Check the documentation for the filter you're using for assistance.
More information about the dkim-ops