Incorrect deployment of DKIM for govmu.org

3 February 2015 by S. Moonesamy

govmu.org email

DomainKeys Identified Mail (DKIM) is an Internet Standard which permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. The Government of Mauritius uses the govmu.org domain name for email. The following message originated from govmu.org:

Authentication-Results: mx.elandsys.com; dkim=permerror
reason="key not found" header.d=govmu.org header.i=@govmu.org
header.b=SEU4jSB2; dkim-adsp=none (secure policy)
DKIM-Signature: v=1; a=rsa-sha256; d=govmu.org; s=dkimgovmuorg; c=relaxed/simple;
q=dns/txt; i=@govmu.org; t=1422868830; x=1454404830;
h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type:
Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=CCLi7pvwF12WjcucDYcjR5Wsuxb4nm8nhIVi/iVtPKw=;
b=SEU4jSB2/yWFw0ErvLtrTpF/QSVTkXUO7V6PmR5SyMEKr+sC/k8bwQAPLQJdEJvX
164S9/RKdcrqZOISK8bkFYqwgNkIwcPTYiQLAN1QjQveW709AfJmLYsCKBu/Cjkw
GvhalGEgeSfolDnvJGcksAWijttFYpP+B3nx0YX6uDM=;
X-AuditID: ca7b1b68-b7fed8e000007592-48-54cf415eb1f1
Received: from C11-EX-SVR-MBX4.gov.mu ( [192.168.6.24])
by mxmail.gov.mu (**) with SMTP id 63.B2.30098.E514FC45; Mon, 2 Feb 2015 13:20:30 +0400 (GST)

The message failed DKIM verification because of a "key not found" error.

Deployment of DKIM

The best practice is for an organization deploying DKIM is to ensure that the public keys can be retrieved from DNS so that the messages with a "DKIM-Signature" header field can be verified by receivers.

;; - HEADER - opcode: QUERY, status: NXDOMAIN, id: 41451
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION: ;dkimgovmuorg._domainkey.govmu.org. IN TXT

;; AUTHORITY SECTION:
govmu.org. 600 IN SOA pdns05.domaincontrol.com. dns.jomax.net. 2015012001 28800 7200 604800 600

Conclusion

The deployment of DKIM for govmu.org is incorrect as the public keys required for DKIM verification is not available from DNS. It is doubtful whether the organization responsible for govmu.org is aware of DKIM best practices.

1. DomainKeys Identified Mail (DKIM) Signatures