Solved

DKIM: Test mode

Posted on 2012-03-14
7
1,905 Views
Last Modified: 2012-03-18
Dear All,

I have deployed DKIM to my production email system. I noted with my email header as below:

Authentication-Results: mx.google.com; spf=pass (google.com: 98.136.44.50 is  permitted by domain of noreply@foo.net)
smtp.mail=noreply@foo.net; dkim=pass (test mode) header.From=noreply@foo.net
Received: from dialup-1-2-3-4.example.net (dialup-1-2-3-4.example.net [192.0.2.200]) by mail-router.example.com (8.11.6/8.11.6) with ESMTP id g1G0r1kA003489;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta;
t=1241199942; bh=QEhHJ/j5vfrx5vc41XbkI/JJltY=;
h=DomainKey-Signature:X-Sender:X-Apparently-To:Received-SPF:
Authentication-Results:Mime-Version:Content-Type:From:Date:
Message-ID:Subject:To:X-System-Of-Record:Sender:Precedence:
X-Google-Loop:Mailing-List:List-Id:List-Post:List-Help:
List-Unsubscribe:X-BeenThere-Env:X-BeenThere:X-Original-Authentication-Results; b=Z5vM83n7lJLDjq0IF5
HymgX20/5J7B0GSEhdZUBSBrnJfl+iQ15aUK6AlekI58Tv6Jyv+kblZhI02z1SyWql2
A==
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: 98.136.44.50 is permitted by domain of sender@example.net) dkim=pass header.i=sender@example.net
Fri, Feb 15 2002 17:19:07 -0800
From: sender@example.net
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.com
Message-Id: <12345.abc@example.net>
List-Id: <list@foo.net>
Subject: here's a sample

So what is the test mode implies? Is there a place where test mode means "not a production mode'?

BR,
Khemarin
0
Comment
Question by:Khemarin
  • 4
  • 3
7 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 37726289
You need to remove the t=y flag from your DKIM record in DNS if you want receiving servers to take action upon DKIM check results.

RFC 4871 says:

t=  Flags, represented as a colon-separated list of names (plain-
       text; OPTIONAL, default is no flags set).  The defined flags are
       as follows:

       y   This domain is testing DKIM.  Verifiers MUST NOT treat
           messages from signers in testing mode differently from
           unsigned email, even should the signature fail to verify.
           Verifiers MAY wish to track testing mode results to assist
           the signer.
0
 

Author Comment

by:Khemarin
ID: 37727528
You mean, I need remove t=1241199942 flags, right? or where?

How about the dkim=pass (test mode) meaning? dose all DKIM are the same?

BR,

Khemarin
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37727634
You mean, I need remove t=1241199942 flags, right? or where?
Nope, that is the time stamp added to the signature.  Think of DKIM as 2 separate pieces -- the signing side (added to headers, uses private key) and the DNS record (used to verify DKIM hash, uses public key).  Both of these pieces have different options, but some are "named" the same thing (like t=). I'm referring to the DNS record piece.

How about the dkim=pass (test mode) meaning? dose all DKIM are the same?
I'm not sure what you mean, can you please rephrase your question.

I didn't pay much attention at first to the content of the headers you pasted, but rather I only really paid attention to your question.  That being said, it's difficult to determine exactly what is happening in those headers because of how you changed the domains to fake domains.

I see both example.net and foo.net -- that combined with the fact that you are apparently using Google at some point and that your sending IP resolves to Yahoo makes this confusing for me to figure out exactly what is happening.

Many EE users paste the full unedited headers, there isn't really much to worry about, your mail server related info is already publicly available.  If you want us to be able to help you please paste the unedited headers so we can do the required research.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Khemarin
ID: 37727700
Thank you so much for your support.

Here is my email header, I'm testing with Gmail:

Delivered-To: khemarin2007@gmail.com
Received: by 10.231.132.193 with SMTP id c1csp359ibt;
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Received: by 10.68.238.39 with SMTP id vh7mr9948299pbc.30.1331866010305;
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Return-Path: <Khemarin.Set@helloabc.com>
Received: from helloabc.com (mail.helloabc.com. [1.1.1.1])
        by mx.google.com with ESMTPS id e9si4893968pbi.141.2012.03.15.19.46.49
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 15 Mar 2012 19:46:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of Khemarin.Set@helloabc.com designates 1.1.1.1 as permitted sender) client-ip=1.1.1.1;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of Khemarin.Set@helloabc.com designates 1.1.1.1 as permitted sender) smtp.mail=Khemarin.Set@helloabc.com; dkim=pass (test mode) header.i=@helloabc.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=helloabc.com; s=helloabc_com2; c=relaxed/relaxed;
      h=from:to:subject:thread-topic:thread-index:date:accept-language:content-language:x-ms-has-attach:x-ms-tnef-correlator:content-type:mime-version;
      bh=CfHYAxmo9IWa1Kh9K5evXAha1BDHW/x6zXbHlamX5xA=;
      b=gnStLeUZecBoJ0895uuMOyWMaaEonXQLCCPT1EwzNd9ZPPvat7JsSX+9bEs5D4xPNQxVjqFIIzQ65okRugrypJ0STYKXPWP8B1fuDC+mxKFUpSPgg6yKqOEzySmRB2Io/zKUZVEoK65ZT9qHRsw1ZxBQtllxzErFiDapBNgHKFo=
Message-Id: <201203160246.q2G2kh4L011118-q2G2kh4N011118@mailserver.mail.local>
From: Khemarin Set <Khemarin.Set@helloabc.com>
To: khemarin Set <khemarin2007@gmail.com>
Subject: DKIM
Thread-Topic: DKIM
Thread-Index: Ac0DHv6AlJFQ23T0Tma2zNI247ypBw==
Date: Fri, 16 Mar 2012 02:46:28 +0000
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
      boundary="_000_737895503A12894389520C00774923EF3A7C23AE1012231FCDD3411_"
MIME-Version: 1.0

--_000_737895503A12894389520C00774923EF3A7C23AE1012231FCDD3411_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

DKIM

------------------------

- Could you tell me, why my email header dkim=pass (test mode) ? What is the meaning test mode?
- Dose my DKIM valid?

I'm looking to hearing from you.

BR,
Khemarin
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37730073
Ah those headers look much better.


- Could you tell me, why my email header dkim=pass (test mode) ? What is the meaning test mode?
Already did, check http:#37726289 for the answer to that as well as the solution to your problem.

- Dose my DKIM valid?
Everything looks correct, except you are still in test mode.
0
 

Author Comment

by:Khemarin
ID: 37736059
Dear Papertrip,

Everything looks correct, except you are still in test mode.

Do you know, How to remove "test mode"?

BR,
Khemarin
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 37736112
As I mentioned before you need to remove the t=y flag from your DKIM record in DNS.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question