ESA brakes DKIM

lyutov_dv · ‎01-26-2017

Hello,

When i send an emai from my personal account to my corporate email Cisco ESA can't verify DKIM signature. The message is dkim=hardfail (body hash did not verify [final])

But when i send an email from the personal accont to the Gmail, eveything is OK, Gmail can verify DKIM signature with result "Pass".

What might be a reason?

dmccabej · ‎01-26-2017

Hello,

Body hash errors are typical of something modifying the message in transit before it gets to the point of verification. Then, once we try and verify the hash it does not properly match the content from when it was signed.

You may wish to first check if anything is modifying the message prior to it being received on the ESA.

Thanks!

-Dennis M.

lyutov_dv · ‎01-26-2017

Hello,

We use ESA as an EDGE server for SMTP connection, so there is no device that can modify messages...

dmccabej · ‎01-27-2017

Hello,

If that's the case then you may wish to open a ticket with TAC. From there we can verify the ESA configuration along with any DKIM headers/signatures/keys/ETC. You may wish to also confirm you're seeing hardfails from other sending domains (different personal accounts) when testing.

Thanks

-Dennis M.

syeda3 · ‎01-27-2017

Please see the below urls for detailed information on DKIM and its setting.

Common Errors Causing DKIM Verification Failures

http://blogs.cisco.com/security/common_errors_causing_dkim_verification_failures?_ga=1.54724526.40254077.1485266151

http://www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200881-Why-is-the-ESA-handling-DKIM-authenticat.html

Hope to help.