09-15-2022 11:39 PM
Hello together,
in some cases I have an issue regards DKIM verification, when I send automatically created mails from specific senders to specific recipient. 99% of the time, the dkim verification is successful but 1% of the time it fails regards dkim=hardfail (body hash did not verify [final]).
Here is an example of the mail route:
CRM system (creates the mail) -> M365 -> Mail Relay Server (Cisco C695) (Quarantine because our message filter dkim-authentication != "pass" triggers)
The mails are comming from a O365 Connector where they get DKIM signed. Why does 99% of the mails get Authentication-Result dkim=pass, but 1% dkim=hardfail?
Could it be an issue if the domain of the header From: 'test@example.com' is different than the DKIM-Signing Domain IDentifier (SDID) 'd=example.onmicrosoft.com'? nslookups for the DKIM key are always successful when I test it manually from C695.
Can someone give me a tip how to start handling the issue?
Thanks in advice
09-16-2022 05:55 AM
Hello again,
I made some analysis on this issue. I think my issue is related to the DKIM-Signature-Header.
------------- Example where dkim=pass -------------
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VPu7Da1FuGB0+sTSKDTfYDTosj4AOX97GxVjGz40XRA=;
b=G4R3y+ttzG4aLWrY1rQdqArwMgouC0pRCWf80tMhYqFm3tzKYPzN4CPy04rYC1vMKQ4muV8sNz6MlQbWtjITG6rMQ1IHsFnf/fAB owHgtlpUAXqsoqAsnGRjrDtZOQ+7cNX/3h+9v7O19PivPxlCWEwLc+JrPY4B/KLgrIs0UQ=
-------------------------------------------------
You can see, that there are blanks at the begin of new lines, everythink looks and works fine.
------------- Example where dkim=hardfail (body hash did not verify) -------------
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=u7z6ASwZc7XPMIco3bTpLculRpxvurG49zi0v6Ns9/0=;
b=icVhWMojoXkFqoDsZPEtGQDjvrfqT/rQ+v1/87hFdeSIh+8dz6QomlSXRl3QbIrs1iHbNg02jQW40DxxNbvGtl1b1t/LOWZCfW6ZcI+l7+8bu4bjZ3b4Xuwb1OVJI+uHIJkFqEAyAAAojdZyLZR1kAz3wYjV5PWFQY9NUurWHIA=
--------------------------------------------------------------------------
This blanks are missing at the at the examples, where the body hash did not verify. I checked the headers with mxtoolbox and they give as a result for DKIM-Signature Header the Header Value: v=1; a=rsa-sha256; c=relaxed/relaxed;
As you can see, there are missing important information. Is it possible that Ciscos mail gateway is not able to interpret DKIM-Signature header correctly?
When I check the message header analyzer from Azure (https://mha.azurewebsites.net/) the DKIM-Signature is interpreted correctly without blanks at the begin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide