cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3159
Views
5
Helpful
3
Replies

DKIM & Dmarc failure while forwarding email from outside domain

Hi Everyone, we had a problem with dkim & dmarc verification. if we send an email directly to the outside domain, the email successfully sent and the verification of dkim and dmarc pass. but when we forward some email that we received form outside domain, and we forward it to the 3rd recipient domain, the email failed with error on the header is dkim or dmarc fail.

 

* for example xxx is our domain, and yahoo is the email domain that we forward to the 3rd domain recipient.

authentication-Results: mx.xxx.com; dkim=hardfail (body hash did not verify [final]) header.i=@yahoo.co.id; spf=SoftFail smtp.mailfrom=user@xxx.com; dkim=hardfail (body hash did not verify [final]) header.i=@yahoo.co.id; dmarc=fail (p=reject dis=quarantine) d=yahoo.co.id

 

also on our dkim global settings we set the configuration like this

DKIM Signing of System Generated Messages : on

use from header for dkim signing : off

 

is the error related to the signing on dkim global setting ?

and what the different of signing of system generated message and use from header for dkim signing?

 
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

System generated messages refer to emails being generated by the ESA itself.

Using from header for dkim signing is optional, when not enabled it will use the domain mentioned in the envelope sender.

 

The "body hash did not verify" error suggests that the email was modified by a host after it has been signed.

 

Regards,

Libin

Lemat
Level 1
Level 1

"body hash did not verify" means that the email body has been modified by for example disclaimers or subject modifications.

header DKIM-Signature contains h= part enumerating headers which took part in DKIM signing. ESA standard is from:to:subject:date:message-id:mime-version; - if any of those are modified by your ESA then DKIM signature will no longer be valid.

 

For SPF fail problems check Bounce verification feature.

 

I would try a test by relaxing your DKIM signing profiles.

Yahoo does very strict DKIM verification.

 

In your signing profile for your domain : 

 

Caonialization : Headers -> Relaxed

                        Body -> Relaxed

and

 

Headers To Sign -> Standard

 

This should do the trick.

 

-Marc

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: