I have setup dkim with postfix using this tutorial http://www.howtoforge.com/set-up-dkim-on-postfix-with-dkim-milter-centos-5.2 and it seems to be signing emails successfully. The problem is that in *some* situations the dkim=hardfail at gmail for example. If I simply do: # echo hi | mail [email protected] I get dkim=pass Here is the header: However if I send the same email from apache via php for example I get dkim=hardfail. The headers seem almost exactly the same, the email is still getting signed, but it's just failing. I think it must be signing it incorrectly, but I don't know it figures out what to sign it. Any clues would be much appreciated.
I modified /etc/sysconfig/dkim-milt changed CANON=simple to CANON=relaxed/relaxed and this seem to do the trick. Problem solved!
That indicates that something is modifying the email after signing has already taken place. If you sign mails with simple canonizations any modifications lead to failure in verification relaxed canonizations are more tolerant to modifications after signing. If you got the time take a look at the DKIM RFC available at http://www.ietf.org/rfc/rfc4871.txt
