Project

General

Profile

Bug #17406

Notification emails are DKIM-signed, but key isn't published

Added by jimfenton 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Infrastructure
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

Emails (such as the recently sent announcement for Tails 4.2) have a DKIM-Signature header field, but the public key isn't published in DNS, so the signature can't be verified.

The DKIM-Signature header field looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boum.org;
s=stigmate; t=1578420772;
bh=NgMFrvAo9txelbtOaQzhLZjhzoWwFkE0Xk0evQlJHi8=;
h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe:Reply-To:From;
b=tiEniD01Hmllbx81bllRqpZtaf9VTyaHdVNNvV4D8zs+7SfWNKDy7eJBHDIKb/yxY
OnDhiLR+Z5NtJkHk0tMWaZlhexy7Rv7O4I3dlcBcxRsWjlQGaMIz/25g7oMrGHa1/p
PrJJTK4orS4j14+9HodOktSDN7sCy/Icnclbm9Kc=

the selector (s= value) is stigmate, so there should be a DNS TXT record containing the public key for the signature at stigmate._domainkey.boum.org, but that record doesn't exist. Instead, my email server reports:

Authentication-Results: <hostname redacted>; dkim=permerror
reason="key not found" header.d=boum.org header.i=@boum.org
header.b=tiEniD01; dkim-adsp=none (unprotected policy);
dkim-atps=neutral

History

#1 Updated by jimfenton 3 months ago

This can adversely affect the delivery of announcement emails, so ought to be fixed.

Also available in: Atom PDF