DKIM key is not signed by DNSSEC / DKIM_POLICYERROR_KEY_INSECURE, missing spf and dmarc results

[johnxba]

Thunderbird on Windows 78.10.1 (64-bit) using extensions/libunbound-2.dll and a fixed name server IP (ISP, runs powerdns).

Mails on some domains get DKIM, SPF and DMARC results, but messages my own domain (and several others) do not show spf and DMARC, even though all of these are set. DKIM is shown as valid with a yellow triangle containing a exclamation mark which has text "DKIM key is not signed by DNSSEC".

DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"3.0","dkim":[{"version":"2.0","result":"SUCCESS","sdid":"domain.tld","auid":"@domain.tld","selector":"[removed]","warnings":[{"name":"DKIM_POLICYERROR_KEY_INSECURE"}],"keySecure":false}]}

DKIM Valid (Signed by domain.tld) [yellow warning icon]

The tld and name servers have DNSSEC active.

By importing a saved message to a new message folder, a yellow lock appears without text:

DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"3.0","dkim":[{"version":"2.0","result":"SUCCESS","sdid":"domain.tld","auid":"@domain.tld","selector":"[removed]","warnings":[],"keySecure":true}]}

DKIM Valid (Signed by domain.tld) [yellow lock icon]

The same effect occurs when an existing message is copied to into a subfolder. Perhaps it is influenced by timings or timestamps?

Other domains show this:
DKIM_Verifier.AuthVerifier DEBUG AuthResult result found: {"version":"3.0","dkim":[{"version":"2.0","result":"SUCCESS","warnings":[],"sdid":"luffy.cx","auid":"@luffy.cx"},{"version":"2.0","result":"SUCCESS","warnings":[],"sdid":"messagingengine.com","auid":"@messagingengine.com"}],"spf":[{"method":"spf","method_version":1,"result":"pass","propertys":{"smtp":{"mailfrom":"[removed]luffy.cx"},"header":{},"body":{},"policy":{}}}],"dmarc":[{"method":"dmarc","method_version":1,"result":"pass","propertys":{"smtp":{},"header":{"from":"luffy.cx"},"body":{},"policy":{}}}]}

DKIM Valid (Signed by luffy.cx) spf: PASS DMARC: pass

There is no lock or warning icon.

Questions:
Why does dkim_verifier show a yellow lock?
Why are SPF and DMARC not shown?
Is there a fix?

Thanks for dkim_verifier and any help.

[lieser]

Mails on some domains get DKIM, SPF and DMARC results, but messages my own domain (and several others) do not show spf and DMARC, even though all of these are set.

The add-in itself is not doing any SPF/DMARC checks itself, only optionally displaying the result saved in the message (https://github.com/lieser/dkim_verifier/wiki/Options#read-authentication-results-header).
Please make sure that the messages actually contain an Authentication-Results header. Maybe your mail server is not adding that for mails send only through the internal servers.

DKIM is shown as valid with a yellow triangle containing a exclamation mark which has text "DKIM key is not signed by DNSSEC".

You have enabled the saving of the DKIM result (https://github.com/lieser/dkim_verifier/wiki/Options#save-result-of-the-verification). This also contains the DNSSEC state (see the "keySecure":true part of the debug output). The result is probably from before you have configured the usage of libunbound. You can manually trigger a new verification via the DKIM button in the header.

If the above does not help: Do you have caching of keys enabled? If yes, press the DKIM button in the header and select updating the DKIM key

Note that this warning can be configured in the advanced options, and is off by default (https://github.com/lieser/dkim_verifier/wiki/Options#treat-dkim-key-not-signed-by-dnssec-as).

By importing a saved message to a new message folder, a yellow lock appears without text:

Then you import a message it should not be able to find any saved result, even if you may have the same message in a different folder.
So this should have resulted in a new verification to happen, which also explains the different result.

Why does dkim_verifier show a yellow lock?

This is to indicate a key secured by DNSSEC. See https://github.com/lieser/dkim_verifier/wiki/Options#indicate-successful-dnssec-validation-with-a-lock-after-the-sdid

Why are SPF and DMARC not shown?

Like I wrote above, please check if the affected message has an Authentication-Results, and that you have enabled the reading of the header.

As you seem to play around with copying/importing messages:
Note that the API provided to extensions in the current stable Thunderbird version (78) has problems if messages in the same folder have the same Message-ID.
This was fixed in newer unstable versions (around TB 85). Until then you may seem some weird issues if you have multiple copies of a message in the same folder,

[johnxba]

Thanks for the clarifying. There is no Authentication-Results header in the mails as these were received by another mail server which does not do that. There is no DKIM added for internal mail.

The DKIM list has a delete button, but it works just for one line at a time and there are a huge number of them. How can all stored keys be deleted? Select all highlights all text, but it does not select multiple rows in the table.

Does the color yellow of the lock have a special meaning? The image in the documentation shows a black lock.

[lieser]

The DKIM list has a delete button, but it works just for one line at a time and there are a huge number of them. How can all stored keys be deleted? Select all highlights all text, but it does not select multiple rows in the table.

Unfortunately there currently is no simple way to delete all stored DKIM keys. I added this as a potential improvement to #248.

But there exist workarounds to do it:

1. Delete the dkimKey.sqlite file in you Thunderbird profile. This is the store used by older versions (pre 4.x), and would otherwise be migrated again, wasting the following effort
2. Delete the current stored key by either
   • Deleting all the data stored directly by the current version. This will also delete you preferences and sign rules, thought they maybe will be restored partly by being migrated again from the old locations.
     1. Uninstall the add-on
     2. Restart Thunderbird
     3. Install the add-on again
   • Only delete the keys (more complicated)
     1. Open the add-on in the debugger (see Step 1-3 in https://github.com/lieser/dkim_verifier/wiki/Debug#add-on-version-4x-and-later)
     2. Select the Storage tab
     3. Open the Extensions Storage on the left and select the only entry
     4. Right click on the keyStore entry in the middle and select Delete "keyStore"

Does the color yellow of the lock have a special meaning? The image in the documentation shows a black lock.

No, it has not. The lock shown is an Unicode symbol (https://www.fileformat.info/info/unicode/char/1f512/index.htm), so how it looks exactly depends on the font. The picture still shows how it looked in an older version of Thunderbird (on Windows).

[johnxba]

Thanks, that's all clear.