Bug #17406
Notification emails are DKIM-signed, but key isn't published
0%
Description
Emails (such as the recently sent announcement for Tails 4.2) have a DKIM-Signature header field, but the public key isn’t published in DNS, so the signature can’t be verified.
The DKIM-Signature header field looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boum.org;
s=stigmate; t=1578420772;
bh=NgMFrvAo9txelbtOaQzhLZjhzoWwFkE0Xk0evQlJHi8=;
h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe:Reply-To:From;
b=tiEniD01Hmllbx81bllRqpZtaf9VTyaHdVNNvV4D8zs+7SfWNKDy7eJBHDIKb/yxY
OnDhiLR+Z5NtJkHk0tMWaZlhexy7Rv7O4I3dlcBcxRsWjlQGaMIz/25g7oMrGHa1/p
PrJJTK4orS4j14+9HodOktSDN7sCy/Icnclbm9Kc=
the selector (s= value) is stigmate, so there should be a DNS TXT record containing the public key for the signature at stigmate._domainkey.boum.org, but that record doesn’t exist. Instead, my email server reports:
Authentication-Results: <hostname redacted>; dkim=permerror
reason="key not found" header.d=boum.org header.i=
boum.org
header.b=tiEniD01; dkim-adsp=none (unprotected policy);
dkim-atps=neutral
@
Subtasks
History
#1 Updated by jimfenton 2020-01-09 02:00:52
This can adversely affect the delivery of announcement emails, so ought to be fixed.