Cisco ESA - DKIM signatures do not verify on outlook, hotmail

Hernan69 · ‎04-11-2019

Morning,

We have just deployed our new ESA and when an email is sent from my organization to my organization email addresses, yahoo.co.uk, Gmail, iCloud, etc the DKIM signature passes and all emails are delivered to the 'Inbox' with the exception of Outlook/Hotmail, all my organization email go directly to the Junk folder:

Fail header note:

Authentication-Results: spf=pass (sender IP is xx.xx.xx.xx)
smtp.mailfrom=mydomain.co.uk; hotmail.com; dkim=fail (signature
did not verify) header.d=mydomain.co.uk;hotmail.com; dmarc=pass
action=none header.from=mydomain.co.uk;
Received-SPF: Pass (protection.outlook.com: domain of
mydomain.co.uk designates xx.xx.xx.xx as permitted sender)
receiver=protection.outlook.com; client-ip=xx.xx.xx.xx;
helo=blah2.hx5555-55.x1x2.iphmx.com;

Thanks,
Hernan

marc.luescherFRE · ‎04-11-2019

We ran into similar issues with our customer facing domains a while back.

After verifying that all outbound message are correctly DKIM signed and the alignment is correct we did some further research.

Having an older - even no longer officially required - SenderID DNS entry helped us overcome the issue for our outbound patient emails sent to Hotmail, Outlook, AOL and comcast.net to be classified as junk.

All those providers have a stricter validation policy.

Such a DNS record would just be a TXT record for your email domain with spf2.0/pra ?all as content.

Hope that helps you as well.