EFA and DKIM checks at receiving end

[ovizii]

So my EFA receives emails and forwards them to my server using opendkim to send and check received emails.
EFA is configured properly (in the config files there is an option to properly add headers at the top of messages and not replace them) and yet my receiving server throws warnings like these:

this one is about an email coming from Google Apps, with proper SPF/DKIM/dmarc setup:

Code: Select all

Authentication-Results: mike.knightsenglish.com; dkim=fail 
reason="verification failed; unprotected key" 
header.d=pacura.ru header.i=@pacura.ru 
header.b=J2TxdPbe; dkim-adsp=none (unprotected policy); dkim-atps=neutral

this one is about an email coming from a server under my control, with proper SPF/DKIM/dmarc setup:

Code: Select all

Authentication-Results: mike.knightsenglish.com; dkim=pass
reason="4096-bit key; unprotected key"
header.d=intramed.sa.com header.i=@intramed.sa.com
header.b=qL9xD/z+; dkim-adsp=pass; dkim-atps=neutral

Has anyone got an idea how to fix this?

I'd also be happy to skip DKIM checks on incoming messages since they get filtered through EFA anyway and there are DKIM checks already in place.

Anyone familiar with opendkim?

The dmarc policies are:

Code: Select all

v=DMARC1; p=reject; pct=100;
v=DMARC1; p=quarantine; pct=25;

so basically the first one says: if it fails, reject 100% of failed emails while the second one says to quarantine 25% of failed emails.

But none of these 2 should fail. I'm sure its because of being EFA in the middle.


###edit###
to make things easier, here is the full email content with all headers of the first email of the two mentioned above: http://pastebin.com/aExuVJG0

[ovizii]

figured out how to use opendkim for signing outgoing emails only:

in /etc/opendkim.conf

set
Mode sv
to
Mode s

s=signing
v=verifying

but still, I'd be interested to know how exactly one has to configure EFA so this works properly.