Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
1
Replies

DKIM verification fails in some cases: M365 Connector -> Cisco C695

knasterlaster
Level 1
Level 1

‎09-15-2022 11:39 PM

Hello together,

in some cases I have an issue regards DKIM verification, when I send automatically created mails from specific senders to specific recipient. 99% of the time, the dkim verification is successful but 1% of the time it fails regards dkim=hardfail (body hash did not verify [final]).

Here is an example of the mail route:

CRM system (creates the mail) -> M365 -> Mail Relay Server (Cisco C695) (Quarantine because our message filter dkim-authentication != "pass" triggers)

The mails are comming from a O365 Connector where they get DKIM signed. Why does 99% of the mails get Authentication-Result dkim=pass, but 1% dkim=hardfail?

Could it be an issue if the domain of the header From: 'test@example.com' is different than the DKIM-Signing Domain IDentifier (SDID) 'd=example.onmicrosoft.com'? nslookups for the DKIM key are always successful when I test it manually from C695. 

Can someone give me a tip how to start handling the issue?

Thanks in advice

Labels:
0 Helpful
1 Reply 1

knasterlaster
Level 1
Level 1

‎09-16-2022 05:55 AM

Hello again, 

I made some analysis on this issue. I think my issue is related to the DKIM-Signature-Header. 

------------- Example where dkim=pass -------------
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=example.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=VPu7Da1FuGB0+sTSKDTfYDTosj4AOX97GxVjGz40XRA=;
 b=G4R3y+ttzG4aLWrY1rQdqArwMgouC0pRCWf80tMhYqFm3tzKYPzN4CPy04rYC1vMKQ4muV8sNz6MlQbWtjITG6rMQ1IHsFnf/fAB   owHgtlpUAXqsoqAsnGRjrDtZOQ+7cNX/3h+9v7O19PivPxlCWEwLc+JrPY4B/KLgrIs0UQ=
-------------------------------------------------
You can see, that there are blanks at the begin of new lines, everythink looks and works fine.

------------- Example where dkim=hardfail (body hash did not verify) -------------
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=u7z6ASwZc7XPMIco3bTpLculRpxvurG49zi0v6Ns9/0=;
b=icVhWMojoXkFqoDsZPEtGQDjvrfqT/rQ+v1/87hFdeSIh+8dz6QomlSXRl3QbIrs1iHbNg02jQW40DxxNbvGtl1b1t/LOWZCfW6ZcI+l7+8bu4bjZ3b4Xuwb1OVJI+uHIJkFqEAyAAAojdZyLZR1kAz3wYjV5PWFQY9NUurWHIA=
--------------------------------------------------------------------------

This blanks are missing at the at the examples, where the body hash did not verify. I checked the headers with mxtoolbox and they give as a result for DKIM-Signature Header the Header Value: v=1; a=rsa-sha256; c=relaxed/relaxed;
As you can see, there are missing important information. Is it possible that Ciscos mail gateway is not able to interpret DKIM-Signature header correctly?

When I check the message header analyzer from Azure (https://mha.azurewebsites.net/) the DKIM-Signature is interpreted correctly without blanks at the begin. 

0 Helpful
Customers Also Viewed These Support Documents