[Rspamd-Users] DKIM failure if CNAME

Wed May 13 15:16:58 UTC 2020

Hi.

DKIM verification seems to fail whenever the DKIM selector is a CNAME. 
Example:

csession; dkim_module_key_handler: cannot get key for domain 
selector1._domainkey.hotmail.com: dns request to 
selector1._domainkey.hotmail.com failed: requested record is not found

Although, when I check the DNS:

dig txt selector1._domainkey.hotmail.com

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.13.3-1+b1-Debian <<>> txt selector1._domainkey.hotmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8929
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1764c329d46187c3010000005ebc0bf29f1740fbdd5b3cdf (good)
;; QUESTION SECTION:
;selector1._domainkey.hotmail.com. IN	TXT

;; ANSWER SECTION:
selector1._domainkey.hotmail.com. 3049 IN CNAME 
selector1._domainkey.outbound.protection.outlook.com.
selector1._domainkey.outbound.protection.outlook.com. 3049 IN TXT 
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5" 
"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"

;; Query time: 0 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: on. mai 13 17:02:10 CEST 2020
;; MSG SIZE  rcvd: 606

When the selector is a TXT record, everything works as expected:

stored DKIM key for pf2014._domainkey.github.com in LRU cache for 3598 
seconds, 14/2000 elements in the cache

dig txt pf2014._domainkey.github.com

; <<>> DiG 9.13.3-1+b1-Debian <<>> txt pf2014._domainkey.github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23504
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fe0ada55a0f453ec010000005ebc0d49873d475d42c139cd (good)
;; QUESTION SECTION:
;pf2014._domainkey.github.com.	IN	TXT

;; ANSWER SECTION:
pf2014._domainkey.github.com. 3599 IN	TXT	"v=DKIM1; k=rsa; t=y; 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaCCQ+CiOqRkMAM/Oi04Xjhnxv3bXkTtA8KXt49RKQExLCmBxRpMp0PMMI73noKL/bZwEXljPO8HIfzG43ntPp1QRBUpn1UEvbp1/rlWPUop3i1j6aUpjxYGHEEzgmT+ncLUBDEPO4n4Zzt36DG3ZcJaLhvKtRkk2off5XD+BMvQIDAQAB"

;; Query time: 77 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: on. mai 13 17:07:53 CEST 2020
;; MSG SIZE  rcvd: 337

Testing with some online DKIM validator services (and other rspamd 
instances earlier in the mailing list chain), everything seems to work 
as intended. This indicates the issue is on my side. Probably a 
misconfiguration somewhere. If anyone has any idea what can cause this, 
please let me know.

Note: All the problematic selectors also causes dig to go into TCP mode 
due to truncation. Can this be the source of the problem?