Solved

DKIM: Test mode

Posted on 2012-03-14
7
1,646 Views
Last Modified: 2012-03-18
Dear All,

I have deployed DKIM to my production email system. I noted with my email header as below:

Authentication-Results: mx.google.com; spf=pass (google.com: 98.136.44.50 is  permitted by domain of noreply@foo.net)
smtp.mail=noreply@foo.net; dkim=pass (test mode) header.From=noreply@foo.net
Received: from dialup-1-2-3-4.example.net (dialup-1-2-3-4.example.net [192.0.2.200]) by mail-router.example.com (8.11.6/8.11.6) with ESMTP id g1G0r1kA003489;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta;
t=1241199942; bh=QEhHJ/j5vfrx5vc41XbkI/JJltY=;
h=DomainKey-Signature:X-Sender:X-Apparently-To:Received-SPF:
Authentication-Results:Mime-Version:Content-Type:From:Date:
Message-ID:Subject:To:X-System-Of-Record:Sender:Precedence:
X-Google-Loop:Mailing-List:List-Id:List-Post:List-Help:
List-Unsubscribe:X-BeenThere-Env:X-BeenThere:X-Original-Authentication-Results; b=Z5vM83n7lJLDjq0IF5
HymgX20/5J7B0GSEhdZUBSBrnJfl+iQ15aUK6AlekI58Tv6Jyv+kblZhI02z1SyWql2
A==
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: 98.136.44.50 is permitted by domain of sender@example.net) dkim=pass header.i=sender@example.net
Fri, Feb 15 2002 17:19:07 -0800
From: sender@example.net
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.com
Message-Id: <12345.abc@example.net>
List-Id: <list@foo.net>
Subject: here's a sample

So what is the test mode implies? Is there a place where test mode means "not a production mode'?

BR,
Khemarin
0
Comment
Question by:Khemarin
  • 4
  • 3
7 Comments
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
You need to remove the t=y flag from your DKIM record in DNS if you want receiving servers to take action upon DKIM check results.

RFC 4871 says:

t=  Flags, represented as a colon-separated list of names (plain-
       text; OPTIONAL, default is no flags set).  The defined flags are
       as follows:

       y   This domain is testing DKIM.  Verifiers MUST NOT treat
           messages from signers in testing mode differently from
           unsigned email, even should the signature fail to verify.
           Verifiers MAY wish to track testing mode results to assist
           the signer.
0
 

Author Comment

by:Khemarin
Comment Utility
You mean, I need remove t=1241199942 flags, right? or where?

How about the dkim=pass (test mode) meaning? dose all DKIM are the same?

BR,

Khemarin
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
You mean, I need remove t=1241199942 flags, right? or where?
Nope, that is the time stamp added to the signature.  Think of DKIM as 2 separate pieces -- the signing side (added to headers, uses private key) and the DNS record (used to verify DKIM hash, uses public key).  Both of these pieces have different options, but some are "named" the same thing (like t=). I'm referring to the DNS record piece.

How about the dkim=pass (test mode) meaning? dose all DKIM are the same?
I'm not sure what you mean, can you please rephrase your question.

I didn't pay much attention at first to the content of the headers you pasted, but rather I only really paid attention to your question.  That being said, it's difficult to determine exactly what is happening in those headers because of how you changed the domains to fake domains.

I see both example.net and foo.net -- that combined with the fact that you are apparently using Google at some point and that your sending IP resolves to Yahoo makes this confusing for me to figure out exactly what is happening.

Many EE users paste the full unedited headers, there isn't really much to worry about, your mail server related info is already publicly available.  If you want us to be able to help you please paste the unedited headers so we can do the required research.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Khemarin
Comment Utility
Thank you so much for your support.

Here is my email header, I'm testing with Gmail:

Delivered-To: khemarin2007@gmail.com
Received: by 10.231.132.193 with SMTP id c1csp359ibt;
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Received: by 10.68.238.39 with SMTP id vh7mr9948299pbc.30.1331866010305;
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Return-Path: <Khemarin.Set@helloabc.com>
Received: from helloabc.com (mail.helloabc.com. [1.1.1.1])
        by mx.google.com with ESMTPS id e9si4893968pbi.141.2012.03.15.19.46.49
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of Khemarin.Set@helloabc.com designates 1.1.1.1 as permitted sender) client-ip=1.1.1.1;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of Khemarin.Set@helloabc.com designates 1.1.1.1 as permitted sender) smtp.mail=Khemarin.Set@helloabc.com; dkim=pass (test mode) header.i=@helloabc.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=helloabc.com; s=helloabc_com2; c=relaxed/relaxed;
      h=from:to:subject:thread-topic:thread-index:date:accept-language:content-language:x-ms-has-attach:x-ms-tnef-correlator:content-type:mime-version;
      bh=CfHYAxmo9IWa1Kh9K5evXAha1BDHW/x6zXbHlamX5xA=;
      b=gnStLeUZecBoJ0895uuMOyWMaaEonXQLCCPT1EwzNd9ZPPvat7JsSX+9bEs5D4xPNQxVjqFIIzQ65okRugrypJ0STYKXPWP8B1fuDC+mxKFUpSPgg6yKqOEzySmRB2Io/zKUZVEoK65ZT9qHRsw1ZxBQtllxzErFiDapBNgHKFo=
Message-Id: <201203160246.q2G2kh4L011118-q2G2kh4N011118@mailserver.mail.local>
From: Khemarin Set <Khemarin.Set@helloabc.com>
To: khemarin Set <khemarin2007@gmail.com>
Subject: DKIM
Thread-Topic: DKIM
Thread-Index: Ac0DHv6AlJFQ23T0Tma2zNI247ypBw==
Date: Fri, 16 Mar 2012 02:46:28 +0000
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
      boundary="_000_737895503A12894389520C00774923EF3A7C23AE1012231FCDD3411_"
MIME-Version: 1.0

--_000_737895503A12894389520C00774923EF3A7C23AE1012231FCDD3411_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

DKIM

------------------------

- Could you tell me, why my email header dkim=pass (test mode) ? What is the meaning test mode?
- Dose my DKIM valid?

I'm looking to hearing from you.

BR,
Khemarin
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Ah those headers look much better.


- Could you tell me, why my email header dkim=pass (test mode) ? What is the meaning test mode?
Already did, check http:#37726289 for the answer to that as well as the solution to your problem.

- Dose my DKIM valid?
Everything looks correct, except you are still in test mode.
0
 

Author Comment

by:Khemarin
Comment Utility
Dear Papertrip,

Everything looks correct, except you are still in test mode.

Do you know, How to remove "test mode"?

BR,
Khemarin
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
Comment Utility
As I mentioned before you need to remove the t=y flag from your DKIM record in DNS.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now