[opendmarc-users] DKIM align question

Todd Lyons tlyons at ivenue.com
Tue Apr 9 07:18:25 PDT 2013 

On Mon, Apr 8, 2013 at 9:33 AM, Todd Lyons <tlyons at ivenue.com> wrote:
> Everything imports with no problems, but I did find one oddity.
> In much the same manner as the SPF align question last week, I have a
> snippet of XML that seems to indicate the pass/faill swapping issue in
> DKIM too:

Dammit!  I was misinterpreting the XML.

>  <record>
>   <row>
>    <source_ip>199.101.162.40</source_ip>
>    <count>1</count>
>    <policy_evaluated>
>     <disposition>none</disposition>
>     <dkim>fail</dkim>

This means that DKIM *alignment* failed, not that DKIM failed.

<snip>

>    <dkim>
>     <domain>linkedin.com</domain>
>     <result>pass</result>
>    </dkim>

And this means that the DKIM signature passed for that domain.

My code is doing something wrong when assigning those numbers for the
result field (which you call "pass" in the signatures table).  I'm
looking at the perl script for reports and it expects a multivalued
integer for the dkim pass field:

            switch ($dkimresult)
            {
                case 0  { $dkimresultstr = "pass"; }
                case 2  { $dkimresultstr = "softfail"; }
                case 3  { $dkimresultstr = "neutral"; }
                case 4  { $dkimresultstr = "temperror"; }
                case 5  { $dkimresultstr = "permerror"; }
                case 6  { $dkimresultstr = "none"; }
                case 7  { $dkimresultstr = "fail"; }
                case 8  { $dkimresultstr = "policy"; }
                case 9  { $dkimresultstr = "nxdomain"; }
                case 10 { $dkimresultstr = "signed"; }
                case 12 { $dkimresultstr = "discard"; }
                else    { $dkimresultstr = "unknown"; }

My code is doing this:

      dkim_result = ( vs == PDKIM_VERIFY_PASS ) ?
DMARC_POLICY_DKIM_OUTCOME_PASS :
                  ( vs == PDKIM_VERIFY_FAIL ) ? DMARC_POLICY_DKIM_OUTCOME_FAIL :
                  ( vs == PDKIM_VERIFY_INVALID ) ?
DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
                      DMARC_POLICY_DKIM_OUTCOME_NONE;

which is far fewer values than your script is expecting.
Additionally, when you look at the values, 0 is pass, but in the dmarc
headers, DMARC_POLICY_DKIM_OUTCOME_PASS is 1.  That means the wrong
value is getting logged.  I'll have to figure out what #define's you
are using to generate all of those DKIM statuses and go from there.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
 If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

More information about the opendmarc-users mailing list