Hello

We have for example 2 domains in O365

-domain1.com

-domain2.com

For both domains we have a dkim signing profile in place ( same selector, same key )

Both domains have the DKIM record in DNS

When a user sents a mail from let's say domain1.com it's signs correct ( spf is ok ) ; so Dmarc at the recipients site is ok

Same for user @ domain2.com ...

But when a user has rights to a shared mailbox in domain1.com , with his domain2.com user ( and has sendas rights ), the DKIM signing is not aligned !

The result is that our dmarc policy ( which is set for reject on domain1.com , not for domain2.com) kicks in and the recipients servers (eg gmail ) rejects the mail

GMAIL source code of mail :

Authentication-Results: mx.google.com;
       dkim=pass header.i=@domain2.com header.s=selectorxxxxx header.b=BVxFNgRW;
       spf=pass (google.com: domain of user1m@domain2.com designates x.x.x.X as permitted sender) smtp.mailfrom=user1m@domain2.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=domain1.com

So you see it fails dmarc ..

How can we align dkim when using sendAs Rights in shared mbxes ?

Note : if we use SentOnBehalf rights it works fine. But we cannot convert hundred of mailbox rights in our organisation to sentonbehalf ( due to different reasns )

Is there any setting on the ESA which we can do to solve this ?

- Canonicalization is set to simple for the headers and also the headers to sign = standard

Tx