{"id":566,"date":"2012-12-19T11:10:48","date_gmt":"2012-12-19T10:10:48","guid":{"rendered":"http:\/\/elkano.org\/blog\/?p=566"},"modified":"2012-12-19T11:12:31","modified_gmt":"2012-12-19T10:12:31","slug":"550-message-does-not-pass-domainkeys-requirements-for-domain","status":"publish","type":"post","link":"https:\/\/elkano.org\/blog\/550-message-does-not-pass-domainkeys-requirements-for-domain\/","title":{"rendered":"550 Message does not pass DomainKeys requirements for domain"},"content":{"rendered":"

I got this error from my mail server log when attempting to send a mail to one of our clients: <\/p>\n

\r\n\/var\/log\/syslog.4.gz:Dec 14 18:13:01 XXXXXX postfix\/smtp[26150]: 01BA812B22C: to=<xxxxx@yyyyy.com>, \r\nrelay=smtp.xxxxxx.com[1.2.3.4]:25, delay=0.11, delays=0.03\/0.01\/0.02\/0.05, dsn=5.0.0,\r\nstatus=bounced (host smtp.xxxxxx.com[1.2.3.4] said: 550 Message does not pass DomainKeys requirements\r\n for domain zzzz.com (in reply to end of DATA command))\r\n<\/pre>\n
I’ve not implemented DomainKeys in my mail servers (but they was in the past), but I noticed that my DNS servers was wrong configured to support this protocol. DomainKeys needs two TXT records, one for the policy and one for the selector.<\/p>\n
The policy is set with a TXT record for _domainkey.yourdomain.com, “o=~;” means that some mails can be signed and “o=-;” means all mails must be signed for domain yourdomain.com. I my case I had to change “o=-;” to “o=~;” because now, I was not using Domainkeys in my MTAs.<\/p>\n
\r\n_domainkey                TXT    "o=~;"\r\n<\/pre>\n
The selector is implemented with other TXT record, in which you set your public key. According to RFC<\/a>:<\/p>\n
 Selectors are arbitrary names below the “_domainkey.” namespace.  A selector value
\n   and length MUST be legal in the DNS namespace and in email headers
\n   with the additional provision that they cannot contain a semicolon.<\/p><\/blockquote>\n
\r\nbrisbane._domainkey IN TXT "g=; k=rsa; p=MHww ... IDAQAB"\r\n<\/pre>\n
The flags you can set are explained below: <\/p>\n
g = granularity of the key.  If present with a non-zero length
\n          value, this value MUST exactly match the local part of the
\n          sending address.  This tag is optional.<\/p>\n
          The intent of this tag is to constrain which sending address
\n          can legitimately use this selector.  An email with a sending
\n          address that does not match the value of this tag constitutes
\n          a failed verification.<\/p>\n
      k = key type (rsa is the default).  Signers and verifiers MUST
\n          support the ‘rsa’ key type.  This tag is optional.<\/p>\n
      n = Notes that may be of interest to a human.  No interpretation
\n          is made by any program.  This tag is optional.<\/p>\n
      p = public key data, encoded as a Base64 string.  An empty value
\n          means that this public key has been revoked.  This tag MUST be
\n          present.<\/p>\n
      t = a set of flags that define boolean attributes.  Valid
\n          attributes are as follows:<\/p>\n
          y = testing mode.  This domain is testing DomainKeys and
\n              unverified email MUST NOT be treated differently from
\n              verified email.  Recipient systems MAY wish to track
\n              testing mode results to assist the sender.<\/p>\n
          This tag is optional.\n<\/p><\/blockquote>\n
For example, valid entries for selectors can be:<\/p>\n
      “coolumbeach._domainkey.example.net”
\n      “sebastopol._domainkey.example.net”
\n      “reykjavik._domainkey.example.net”
\n      “default._domainkey.example.net”<\/p>\n
Here, you can use these links to test if your DNS records are well formed. the first one is to check your policy and the last one to check the selector:<\/p>\n
http:\/\/domainkeys.sourceforge.net\/policycheck.html<\/a>
\nhttp:\/\/domainkeys.sourceforge.net\/selectorcheck.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
I got this error from my mail server log when attempting to send a mail to one of our clients: \/var\/log\/syslog.4.gz:Dec 14 18:13:01 XXXXXX postfix\/smtp[26150]: 01BA812B22C: to=<xxxxx@yyyyy.com>, relay=smtp.xxxxxx.com[1.2.3.4]:25, delay=0.11, delays=0.03\/0.01\/0.02\/0.05, dsn=5.0.0, status=bounced (host smtp.xxxxxx.com[1.2.3.4] said: 550 Message does not pass DomainKeys requirements for domain zzzz.com (in reply to end of DATA command)) I’ve not implemented […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[73,74,72],"_links":{"self":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts\/566"}],"collection":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/comments?post=566"}],"version-history":[{"count":20,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts\/566\/revisions"}],"predecessor-version":[{"id":587,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts\/566\/revisions\/587"}],"wp:attachment":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/media?parent=566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/categories?post=566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/tags?post=566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}