Re: DomainKeys signature no longer valid in 0.4.2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

>
>Can you disable the other filters and test with dk-filter only?

Sure thing. See below.

>If sendmail.net is seeing an older DNS record, that would cause DK
>verification to fail.  It's better to change selector records when
>you generate a new key to avoid such an issue.

Yeah, it was seeing one from when I turned off test mode, but that 
ended up not being the issue. The key itself was still the same.

>There was a change in the dk-milter version running on sendmail.net.

Yeah, this would certainly be the cause of my headaches, but it seems 
every other DK test out there fails it as well. So it's either 
something wrong from the getgo, or something new.

>Send an email to aut...@dk....  You should get a
>reply which includes the DNS records seen by the
>autoresponder.  Please verify whether the selector record is correct
>(i.e. your public key in DNS).

I ran the test against the new autoresponder you gave, and verified 
the DNS record as well as disabling all of my milters. The response 
the new responder gave was:

-------
DKIM Test: pass (1024-bit key)
DomainKeys Test: fail
DomainKeys Policy: "o=~"
DKIM Sender Signing Policy: query failed

DomainKeys Selector: vixen
"k=rsa; 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSVzV7F/BK1vc9kuCtc9b8v5HdZRMJ+psf8yyVoJ+q4eEV2KlHUENLQTi3AO/jI4NO7IgUPVububWabofjhC7d0d4wI6ISI4I71K/Zu1Wuz4ucXvu4Refs6zwGhrkgDAqXCbxG3B0E0rU287yc/e99JseOZg4eR6MjoT2aw2BVPwIDAQAB"
-------

This record does indeed match my TXT record published in the DNS. The 
outgoing e-mail was signed, and the headers are relatively mimimal. 
Typical ones towards the bottom, followed by the DomainKeys 
signature, and finally the sendmail received from lines, before it's 
validated by the autoresponder.

Since this key was generated by the DKIM gentxt.csh file (the only 
difference was a 1024 vs 512 bit key it seemed), would it make more 
sense to have different selector records for DK and DKIM? I noticed 
sendmail.net and others all seem to be using the same key, so I'm 
seriously doubting it.

Any more random pointers?

- Greg