Menu
▾
▴
#219 KEYFAIL returned for permanent error
libopendkim/dkim-keys.c (about line 358) returns DKIM_STAT_KEYFAIL if no useful record was returned, assuming that "'%s' reply was unresolved CNAME". Returning DKIM_STAT_NOKEY would seem more consistent to me, since there was no DNS hiccup in such case.
Distinguishing between temporary and permanent errors is useful if the MTA would return 4xx in the former case, while just failing DKIM verification in the latter one. The latter, in turn may be treated with a 5xx reply, depending on local policies.
I have not yet confirmed that this is an actual problem, but it might.
By logging the string returned by dkim_geterror(), I the problem is confirmed. The log line contains:
'k1._domainkey.defmix.com' reply was unresolved CNAME
The message is related to MailChimp, who suggest to set CNAME record for DKIM. The more that kind of setting takes root, the more occurrences of this outcome are likely to come about.
As a workaround, strstr(dkim_geterror(), "CNAME") can be used to disambiguate.
Interestingly enough, your position appears to agree with RFC6604. I seem to remember that this was actually a recent change, but I couldn't find it in the RELEASE_NOTES.
Done for next release.
2.10.1 released.