Showing results for 
Search instead for 
Did you mean: 
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in:
Encryption Bug Search
Encryption Plug-in:
Cloud Mailbox Notification Service
Outlook Add-in(s): More info


DKIM & Dmarc failure while forwarding email from outside domain

Hi Everyone, we had a problem with dkim & dmarc verification. if we send an email directly to the outside domain, the email successfully sent and the verification of dkim and dmarc pass. but when we forward some email that we received form outside domain, and we forward it to the 3rd recipient domain, the email failed with error on the header is dkim or dmarc fail.


* for example xxx is our domain, and yahoo is the email domain that we forward to the 3rd domain recipient.

authentication-Results:; dkim=hardfail (body hash did not verify [final]); spf=SoftFail; dkim=hardfail (body hash did not verify [final]); dmarc=fail (p=reject dis=quarantine)


also on our dkim global settings we set the configuration like this

DKIM Signing of System Generated Messages : on

use from header for dkim signing : off


is the error related to the signing on dkim global setting ?

and what the different of signing of system generated message and use from header for dkim signing?

Libin Varghese
Cisco Employee

System generated messages refer to emails being generated by the ESA itself.

Using from header for dkim signing is optional, when not enabled it will use the domain mentioned in the envelope sender.


The "body hash did not verify" error suggests that the email was modified by a host after it has been signed.





"body hash did not verify" means that the email body has been modified by for example disclaimers or subject modifications.

header DKIM-Signature contains h= part enumerating headers which took part in DKIM signing. ESA standard is from:to:subject:date:message-id:mime-version; - if any of those are modified by your ESA then DKIM signature will no longer be valid.


For SPF fail problems check Bounce verification feature.


I would try a test by relaxing your DKIM signing profiles.

Yahoo does very strict DKIM verification.


In your signing profile for your domain : 


Caonialization : Headers -> Relaxed

                        Body -> Relaxed



Headers To Sign -> Standard


This should do the trick.



Recognize Your Peers
Content for Community-Ad