Why DMARC having DKIM failure?

Question

I have enable DMARC feedback for my server. I am getting the following messages, in this case from google, but I've gotten similar from att.net, Microsoft and others:

Email Provider: google.com
Report Id: 7844382628123659573
Report Start Date:  2022-08-25 20:00:00
Report End Date:  2022-08-26 19:59:59
Domain: mercureytech.com
<adkim> DKIM Alignment: r Relaxed
<aspf> SPF Alignment: r Relaxed
<p> Public Key: none
<sp> Subdomain Policy: none
<pct> Policy Applies: 100%
Source IP: 24.142.169.11
Email Volume: 1
Policy Disposition: none
DKIM Disposition: fail
SPF Disposition: pass
Header From: mercureytech.com 
DKIM Auth. Domain: mercureytech.com
DKIM Results: fail
DKIM Selector: mercmail
SPF Auth. Domain: mercureytech.com

Note the "DKIM Disposition: fail" and "DKIM Results: fail". Why am I getting this? Third party tools such as dmarcanalyzer.com and others indicate a valid DKIM record and if I examine headers from this domain it says "dkim=pass (1024-bit key) header.d=mercureytech.com header.i=@mercureytech.com"

So why the DKIM failures being reported on the DMARC reports from these service providers?

12-Sep

OK, I've gathered some information. I've checked your dnsviz.net and the Notice marked "ERROR" which says "THe response had an invalid RCODE ..." the servers listed are the name servers of Network Solutions. I've looked up this error and found, "This indicates that the DNS server returned a 'SERVFAIL' error when it attempted to look up the domain in DNS."

Not sure what I could do about this. The domain mercureytech.com is registered with Network Solutions and the server specified in the error (162.159.26.132) is Network Solutions' name server ns23.worldnic.com.

I have a recent gmail DMARC report as of this morning from an email sent yesterday:

Email Provider: google.com
Report Id: 6687317408563956953
Report Start Date:  2022-09-10 20:00:00
Report End Date:  2022-09-11 19:59:59
Domain: mercureytech.com
<adkim> DKIM Alignment: r Relaxed
<aspf> SPF Alignment: r Relaxed
<p> Public Key: none
<sp> Subdomain Policy: none
<pct> Policy Applies: 100%
Source IP: 24.142.169.11
Email Volume: 30
Policy Disposition: none
DKIM Disposition: fail
SPF Disposition: pass
Header From: mercureytech.com 
DKIM Auth. Domain: horeb-wright3.org
DKIM Results: fail
DKIM Selector: horeb
SPF Auth. Domain: mercureytech.com

I don't have what is received at gmail by way of headers, but I also received this message at my server and I suppose the headers should be similar. If not, I can arrange for a message to be also sent to a gmail account I own. The following are the headers I received for this message at my mail sever:

From noreply@mercureytech.com  Sun Sep 11 06:00:07 2022
Return-Path: <noreply@mercureytech.com>
Received: from mail.mercureytech.com (rrcs-24-142-169-11.mail.mercureytech.com [24.142.169.11] (may be forged))
        by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id 28BA05hp008998
        (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
        for <mfoley@novatec-inc.com>; Sun, 11 Sep 2022 06:00:05 -0400
Authentication-Results: server.novatec-inc.com;
        dkim=fail reason="signature verification failed" (1024-bit key) header.d=horeb-wright3.org header.i=@horeb-wright3.org header.b=oxKZuL5k
Received: from mail.mercureytech.com (localhost [127.0.0.1])
        by mail.mercureytech.com (8.17.1/8.15.2) with ESMTP id 28BA025T020199
        for <mfoley@novatec-inc.com>; Sun, 11 Sep 2022 06:00:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=horeb-wright3.org;
        s=horeb; t=1662890404;
        bh=mavbdSeWGydRvJ1XB+84YVwYKuor+lsP2JEciknt0Yk=;
        h=Date:From:To:Subject;
        b=oxKZuL5k1zAhr9bf7mKR6gzH2/a9jA/loJcw+6qgiGEsmCFAydHtrAZdoOzruJqxH
         oV3qMBvs4jHa58pPWrfXfAAF+UCGZ85Jx+J0PAnDapryWT8LltpA6yuaRgCGsVhY1F
         tlv2p+cS/LyJWRGBZfYaNzbKCJUm/C4EzXOpvL80=
Received: (from root@localhost)
        by mail.mercureytech.com (8.17.1/8.17.1/Submit) id 28BA01H9020010
        for mfoley@novatec-inc.com; Sun, 11 Sep 2022 06:00:01 -0400

It says the dkim authentication failed. I'll investigate that as I thought this was working before.

Send the same message that was referred to in the report to some @gmail.com address and show what the headers say on their side? Also, please post the verbatim report, that quoted part seems processed in ways that could be misleading (Why does it say "Public Key" there?). That should clarify things. — anx, Sep 05 '22 at 15:09
I have a DMARC from this morning, but how to I post it? I can only enter one line in this comment section. What do you mean my "DNS was unreliable"? What did you try? Let me know and I'll investigate. Likewise I can try getting the headers from gmail, but again, how do I post that? — Mark Foley, Sep 10 '22 at 18:49
By "unreliable" I mean I got a few SERVFAIL responses. That by itself would not explain your symptoms.. but imho warrants further checking for inconsistent or malfunctioning dns configuration. E.g. repeatedly retrieving the record directly from the authoritative nameserver, to confirm if you also occasionally get incorrect (claiming no error with zero records in answer where 1 would be correct) responses. — anx, Sep 10 '22 at 22:08

score 0 · Answer 1 · answered Sep 15 '22 at 08:22

TL,DR: DKIM checks failed because the email signature didn't validate.

Long answer:

Look at the Authentication-Results header:

server.novatec-inc.com;
   dkim=fail reason="signature verification failed" (1024-bit key)
   header.d=horeb-wright3.org header.i=@horeb-wright3.org header.b=oxKZuL5k

Here "signature verification failed" means that DKIM failed because the signature did not validate using the public key loaded fron the DNS. The public key was located using the DKIM selector (s=) tag in the DKIM-Signature header), and the signing domain (d=). More specifically, the key was loaded from the DKIM record at horeb._domainkey.horeb-wright3.org.

So to solve this you need to make sure that whatever servers are sending your emails use the private key corresponding to the public key published on the DNS.

Note: even though DKIM check failed, DMARC did not, because SPF passed.

Sorry for the long delay in replying, but I've been collecting and analyzing DMARC reports. I have both DMARC and Gmail header information I can post, but as I mentioned previously, I don't know how to do that. This 'comment' section is very limited. How can I do that? — Mark Foley, Nov 04 '22 at 06:31
Why do you think you need to upload more header information? The question Why DMARC having DKIM failure? was answered already above. If you have other questions about DMARC/DKIM/SPF I'm happy to help answering them, but please post them as separate questions. Also, don't forget to mark any answer as the correct one, if you are satisfied with the response. — fvsdpl, Nov 08 '22 at 00:33

Why DMARC having DKIM failure?

1 Answers1