DKIM Check

Mark Martinec Mark.Martinec+amavis at
Wed Apr 11 18:08:08 CEST 2012

> Mark, this is a test of my amavis DKIM setup from our discussion
> on the amavisd mailing list.

Thanks. Sorry for not answering your previous test message sooner.

> As you can see, the DKIM seems to fail the signature check.
> I'm not sure how to configure this so that it works.

It took some guesswork and searching for similar messages,
but I can see now where your DKIM signature gets broken.

Your MUA is SquirrelMail/1.4.22, which according to some
other SquirrelMail messages that I could find, produces
a Content-type header field like this:

  Content-type: text/plain;charset=UTF-8

Yet such header field in your sample message looks like:

  Content-type: text/plain; charset=UTF-8

Note an extra space inserted after a colon.
So apparently some MTA is 'prettifying' a mail header.
Postfix does not do it, so the primary suspect is your
next hop mailer at, claiming
to be a "(Sun Java(tm) System Messaging Server 7u2-7.02",
which is also gratuitously rewrapping some other header

Your signature uses a 'relaxed' canonicalization for a
header, which is good, and makes a signature resilient
to rewrapping and too changes in whitespace, as it replaces
any amount of whitepace (spaces, tabs, newlines) by a
single space.

Unfortuately this does not cater for whitespace that
springs up in a place where there was no whitespace
originally (and similarly for completely lost whitespace).
So the gratuitous insertion of a space by some MTA
which thinks it would 'look nicer' this way
is breaking your DKIM signature.

There are three ways around this:

- fix the 'prettifying' mailer;

- modifiy SquirrelMail to insert a space after a semicolon
  when generating a Content-type header field, which will
  avoid the problem;

- configure amavisd to exclude the Content-type header field
  from a signature:
    $signed_header_fields{'content-type'} = 0;


More information about the amavis-users mailing list