[opendmarc-users] Can I tell why a specific message failed?

Dan Mahoney, System Admin danm at prime.gushi.org
Tue Aug 26 09:00:42 PDT 2014


On Tue, 26 Aug 2014, Benny Pedersen wrote:

> On 26. aug. 2014 10.47.36 "Dan Mahoney, System Admin" <danm at prime.gushi.org> 
> wrote:
>
>> Authentication-Results: prime.gushi.org; dkim=pass
>>          reason="1024-bit key; unprotected key"
>>          header.d=amazonses.com header.i=@amazonses.com header.b=IILVBN7v;
>>          dkim-adsp=pass
>> 
>> Any ideas?
>
> dig +trace amazon.com
>
> Missing ds rr gives unprotected key, but dkim works with signing domain 
> amazonses.com none of them is dnssec protected

I'm not sure what you mean.

Those zones aren't signed, and I don't think I've seen any requirement in 
the spec, or the FAQ, or anywhere else that says DNSSEC is mandatory.

(although of course a good resolver should reject a record with a DNSSEC 
sig failure -- that's not what's happening here).

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



More information about the opendmarc-users mailing list