DKIM authentication fails ins some scenarios

Kirby

Well-known member
Affected version
2.2.9
Steps to reproduce
  1. Setup an installation at domain.com/xf-install-1, configure it to send emails as xf-install-1@domain.com and activate DKIM
  2. After activation is completed and DNS has propagated setup another installation at domain.com/xf-install-2, configure it to send emails as xf-install-2@domain.com, activate DKIM and follow the instructions
  3. Send Test Emails from installation 1 and 2 after DKIM setup on installation 2 has been completed (eg. DNS has propagated)
Expected Results
Test emails from both installations validate

Actual Result
E-Mails from installation 1 fail DKIM checks as only the key for installation 2 is published

Proposed Solution
Create a unique selector every time DKIM does get activated instead of always using xenforo, this would also allow to rotate keys (as recommended)
 
Last edited:
Could make the selector be something like xf_ . md5($xf.options.boardUrl). Although if you are going to run multiple instances on the same domain, you could just copy the key from install 1 to install 2 rather than trying to manage DNS entries and keys that are unique to sub-directories/installs.
 
Could make the selector be something like xf_ . md5($xf.options.boardUrl).
While this would fix the specific issue, it IMHO still wouldn't be much beter than using a constant value as it doesn't allow to rotate keys.
Ideally, the selector should be unique and unpredictable - just a random value (that must be valid as a hostname though).

Although if you are going to run multiple instances on the same domain, you could just copy the key from install 1 to install 2 rather than trying to manage DNS entries and keys that are unique to sub-directories/installs.
I (or any other developer) for sure would be able to do that, a normal user wouldn't as there is no documentation/GUI to to that.
Anyway, this was just an example to show how the current design would break.
 
Top Bottom