ADSA’s outgoing email is broken – doesn’t work with Domain Keys Identified Mail (DKIM)
So, yet another national/multi-national company that doesn’t know how to do email properly… this time it’s ADSA …
Lots of errors in our server logs with us generating SMTP 421 (defer) errors and rejecting their DKIM signed email:
2016-09-25 19:10:27 1boDsa-0001X1-V1 DKIM: d=asda.co.uk s=mail c=relaxed/simple a=rsa-sha256 b=2048 [invalid - public key record (currently?) unavailable] 2016-09-25 19:10:27 1boDsa-0001X1-V1 DKIM START: domain=asda.co.uk possible_signer=asda.co.uk status=invalid (reason=pubkey_unavailable) 2016-09-25 19:10:27 1boDsa-0001X1-V1 DKIM DEFER: domain=asda.co.uk 2016-09-25 19:10:27 1boDsa-0001X1-V1 H=homgw007.wal-mart.com (ppes-mail-e5.wal-mart.com) [161.165.225.36] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no temporarily rejected DKIM : Message from asda.co.uk cannot be verified
Why…? because someone thought it would be a good idea to implement DKIM on their outgoing email but then only did half the job!
What’s wrong with their DKIM?
According to the DKIM header its signed for the domain “adsa.co.uk” and has a selector of “mail” … ok, so over to ProtoDave.com to check it:
and there we have it … there’s no TXT record … no DKIM public key => fail!
Summary
If you’re going to set up DKIM on outgoing email – which is a good idea – then there are two parts to it:
- Setting up you Mail Transfer Agent to add your DKIM signature using your private key
- Publishing your public key in your DNS zone file so that people can verify your DKIM signature
Unless you do both parts it won’t work… more importantly proper mail relay sites like ours that bother to police DKIM signatures will be unable to verify your email and hence will reject (or defer) it … effectively returning it to you and waiting for you to fix the problem!
Conclusion
ASDA’s email is broken – either they or their parent Wal*Mart needs to fix their outgoing mail – sigh 🙁