dkim signature fails to verify

Asked by Stephen Nightingale

We are implementing a High Assurance Domain project at NIST, which entails deploying SPF, DKIM and DMARC. I tried Greg Hewgill's original, it failed to verify and I noticed that the dkimpy update has been created. I'm using that.

I'm extending PpyMilter and connecting it to Sendmail, to do the signing and the verification.
Applying the dkimpy sign at the Sender end and the dkimpy verify at the Receiver end, I get DKIM Signature fails to verify.
The Sender and Receiver bodyhashes are the same so I figure it's in the Header hashing.
So I tried tossing out one header at a time from 'include_headers'. When I get down to 'From' and 'Date', it still generates different signatures and fails to verify.
If I throw out all but 'From' Python raises an exception saying 'FROM has to be signed'.
It's only a short From line so I can't see that folding makes a difference.

Are there any other known bugs or asymmetries in dkim signing and/or verifying?


Stephen Nightingale, NIST.

Question information

English Edit question
dkimpy Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Martin Pool (mbp) said :

If you're using the current tip, I don't believe there are any bugs
like that open. There have been similar bugs in the past, and it's
possible there are still some left.

Can you provide a small python program that demonstrates the problem?

Revision history for this message
Stuart Gathman (stuart-gathman) said :

If the bodyhashes in the DKIM-Signature header field are the same, then it is not a header hashing issue. The bh= includes both header and body hash. You didn't provide any details, e.g. the DKIM-Signature header field in question, or the exception. Note that calling the class method lets you get an informative exception, and not just a boolean result. I suspect that there is something wrong with the DNS record you published. There are many tests of sign/verify symmetry in the unit tests. If it turns out you have an actual failure, we'll add it to the suite.

Revision history for this message
Stuart Gathman (stuart-gathman) said :

You can see a simple sign and verify DKIM milter using pymilter here:

The API is probably somewhat different from ppymilter, you can view here:

Can you help with this problem?

Provide an answer of your own, or ask Stephen Nightingale for more information if necessary.

To post a message you must log in.