Solved

DKIM: Test mode

Posted on 2012-03-14
7
1,709 Views
Last Modified: 2012-03-18
Dear All,

I have deployed DKIM to my production email system. I noted with my email header as below:

Authentication-Results: mx.google.com; spf=pass (google.com: 98.136.44.50 is  permitted by domain of noreply@foo.net)
smtp.mail=noreply@foo.net; dkim=pass (test mode) header.From=noreply@foo.net
Received: from dialup-1-2-3-4.example.net (dialup-1-2-3-4.example.net [192.0.2.200]) by mail-router.example.com (8.11.6/8.11.6) with ESMTP id g1G0r1kA003489;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta;
t=1241199942; bh=QEhHJ/j5vfrx5vc41XbkI/JJltY=;
h=DomainKey-Signature:X-Sender:X-Apparently-To:Received-SPF:
Authentication-Results:Mime-Version:Content-Type:From:Date:
Message-ID:Subject:To:X-System-Of-Record:Sender:Precedence:
X-Google-Loop:Mailing-List:List-Id:List-Post:List-Help:
List-Unsubscribe:X-BeenThere-Env:X-BeenThere:X-Original-Authentication-Results; b=Z5vM83n7lJLDjq0IF5
HymgX20/5J7B0GSEhdZUBSBrnJfl+iQ15aUK6AlekI58Tv6Jyv+kblZhI02z1SyWql2
A==
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: 98.136.44.50 is permitted by domain of sender@example.net) dkim=pass header.i=sender@example.net
Fri, Feb 15 2002 17:19:07 -0800
From: sender@example.net
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.com
Message-Id: <12345.abc@example.net>
List-Id: <list@foo.net>
Subject: here's a sample

So what is the test mode implies? Is there a place where test mode means "not a production mode'?

BR,
Khemarin
0
Comment
Question by:Khemarin
  • 4
  • 3
7 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 37726289
You need to remove the t=y flag from your DKIM record in DNS if you want receiving servers to take action upon DKIM check results.

RFC 4871 says:

t=  Flags, represented as a colon-separated list of names (plain-
       text; OPTIONAL, default is no flags set).  The defined flags are
       as follows:

       y   This domain is testing DKIM.  Verifiers MUST NOT treat
           messages from signers in testing mode differently from
           unsigned email, even should the signature fail to verify.
           Verifiers MAY wish to track testing mode results to assist
           the signer.
0
 

Author Comment

by:Khemarin
ID: 37727528
You mean, I need remove t=1241199942 flags, right? or where?

How about the dkim=pass (test mode) meaning? dose all DKIM are the same?

BR,

Khemarin
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37727634
You mean, I need remove t=1241199942 flags, right? or where?
Nope, that is the time stamp added to the signature.  Think of DKIM as 2 separate pieces -- the signing side (added to headers, uses private key) and the DNS record (used to verify DKIM hash, uses public key).  Both of these pieces have different options, but some are "named" the same thing (like t=). I'm referring to the DNS record piece.

How about the dkim=pass (test mode) meaning? dose all DKIM are the same?
I'm not sure what you mean, can you please rephrase your question.

I didn't pay much attention at first to the content of the headers you pasted, but rather I only really paid attention to your question.  That being said, it's difficult to determine exactly what is happening in those headers because of how you changed the domains to fake domains.

I see both example.net and foo.net -- that combined with the fact that you are apparently using Google at some point and that your sending IP resolves to Yahoo makes this confusing for me to figure out exactly what is happening.

Many EE users paste the full unedited headers, there isn't really much to worry about, your mail server related info is already publicly available.  If you want us to be able to help you please paste the unedited headers so we can do the required research.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Khemarin
ID: 37727700
Thank you so much for your support.

Here is my email header, I'm testing with Gmail:

Delivered-To: khemarin2007@gmail.com
Received: by 10.231.132.193 with SMTP id c1csp359ibt;
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Received: by 10.68.238.39 with SMTP id vh7mr9948299pbc.30.1331866010305;
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Return-Path: <Khemarin.Set@helloabc.com>
Received: from helloabc.com (mail.helloabc.com. [1.1.1.1])
        by mx.google.com with ESMTPS id e9si4893968pbi.141.2012.03.15.19.46.49
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of Khemarin.Set@helloabc.com designates 1.1.1.1 as permitted sender) client-ip=1.1.1.1;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of Khemarin.Set@helloabc.com designates 1.1.1.1 as permitted sender) smtp.mail=Khemarin.Set@helloabc.com; dkim=pass (test mode) header.i=@helloabc.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=helloabc.com; s=helloabc_com2; c=relaxed/relaxed;
      h=from:to:subject:thread-topic:thread-index:date:accept-language:content-language:x-ms-has-attach:x-ms-tnef-correlator:content-type:mime-version;
      bh=CfHYAxmo9IWa1Kh9K5evXAha1BDHW/x6zXbHlamX5xA=;
      b=gnStLeUZecBoJ0895uuMOyWMaaEonXQLCCPT1EwzNd9ZPPvat7JsSX+9bEs5D4xPNQxVjqFIIzQ65okRugrypJ0STYKXPWP8B1fuDC+mxKFUpSPgg6yKqOEzySmRB2Io/zKUZVEoK65ZT9qHRsw1ZxBQtllxzErFiDapBNgHKFo=
Message-Id: <201203160246.q2G2kh4L011118-q2G2kh4N011118@mailserver.mail.local>
From: Khemarin Set <Khemarin.Set@helloabc.com>
To: khemarin Set <khemarin2007@gmail.com>
Subject: DKIM
Thread-Topic: DKIM
Thread-Index: Ac0DHv6AlJFQ23T0Tma2zNI247ypBw==
Date: Fri, 16 Mar 2012 02:46:28 +0000
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
      boundary="_000_737895503A12894389520C00774923EF3A7C23AE1012231FCDD3411_"
MIME-Version: 1.0

--_000_737895503A12894389520C00774923EF3A7C23AE1012231FCDD3411_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

DKIM

------------------------

- Could you tell me, why my email header dkim=pass (test mode) ? What is the meaning test mode?
- Dose my DKIM valid?

I'm looking to hearing from you.

BR,
Khemarin
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37730073
Ah those headers look much better.


- Could you tell me, why my email header dkim=pass (test mode) ? What is the meaning test mode?
Already did, check http:#37726289 for the answer to that as well as the solution to your problem.

- Dose my DKIM valid?
Everything looks correct, except you are still in test mode.
0
 

Author Comment

by:Khemarin
ID: 37736059
Dear Papertrip,

Everything looks correct, except you are still in test mode.

Do you know, How to remove "test mode"?

BR,
Khemarin
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 37736112
As I mentioned before you need to remove the t=y flag from your DKIM record in DNS.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now