ESA not dkim checking mails from same domain (no dkim= in header for own domain)

franz2018 · ‎03-12-2018

Hi,

we have two companies with independend IT but sharing the maildomain.

company1 = only sends dkim signed mails for domain.de (no ESA)

company 2 = sends (dkim signed) mails and receives mails for domain.de (ESA C170 cluster)

All incoming and outgoing mails are fine and checked for dkim, spf and dmarc according to headers:

Authentication-Results: mail1.domain.de; dkim=pass (signature verified) header.i=@random-sender.de; spf=Pass smtp.mailfrom=franz@random-sender.de; dmarc=pass (p=none dis=none) d=random-sender.de

But receiving mails from company1 at ESA in company2, dkim is never checked:

Authentication-Results: mail2.domain.de; spf=Pass smtp.mailfrom=test@domain.de; dmarc=pass (p=none dis=none) d=domain.de

What do i miss?

Ken Stieers · ‎03-12-2018

Check the HAT entry on the ESA at domain2 that the ip from domain1 will hit and see how it's policy is configured. If the ip is in WHITELIST for example, dkim checking my be turned off. It will also be off if it's in RELAYLIST.

franz2018 · ‎03-12-2018

dmarc and dkim checking is checked/activated for the matching policy ACCEPTED. As this system provides mail like any other sender (from outside) no specific policy is in place. I supsect that this is by design because it's the same domain name.

dmccabej · ‎03-12-2018

Some things to review ...

1) Confirm matching mail flow policy with DKIM verification enabled

2) Confirm emails are being DKIM signed from company where no DKIM results are seen (check headers)

3) Check DKIM key size of signed emails and compare against DKIM verification profile smallest/largest key size

Thanks!

-Dennis M.

franz2018 · ‎03-13-2018

DKIM verify is on. DMARC reports show, that there are issues for mails coming from our other company - but it's not showing it in the header:

    <row>
      <source_ip>our-public-ip-company1</source_ip>
      <count>63</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>domain.de</header_from>
      <envelope_from>domain.de</envelope_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>domain.de</domain>
        <scope>mfrom</scope>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>

Mails are dkim signed as header shows:

Authentication-Results: esa170.domain.de; spf=Pass smtp.mailfrom=test@domain.de; dmarc=pass (p=none dis=none) d=domain.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.de;
	s=18022801; t=1520860826;
	bh=ecGWgWCJeWxJFeM0urOVWP+KOlqpvsQYKOpYUP8nk7I=;
	h=Date:To:From:Subject:From;
	b=cZpeo0m3OFrKZyhTLV2v2gSoarIeGVB5usJTADJz2mKKKGADEhNS8tC1xC1ZfzpE8
	 imp4OLx2ETaJB6cp2VWqu7tWrYV4S+nGSpHa/uUmSeYM4AUNv/KUCF4PvWOlMFXTzu
	 FNAZeMrErhrQgFSCwss/JVrZH2ZTYCfifQ0BHHoO24lzWgBxu70D72waC9oi+lm2Y1
	 ktRr0ZKinNX7JcuTtvyZD7X3LjSaWshw6i7IgPXDE+CVldiP5oaj0t4gD7tkvXWBEJ
	 dUJ+6sip2kUSF3i8CaYYqflG2m1j+UDMJqx+djk1E699ZZ2/hlo12tNk7tivnHLVUW
	 Wn6dVWT88dbmw==

dkim key size in esa is default 512-2048 - matching pub-key for aboves signature is 2048.

mail tracking is not showing any dkim/dmarc related infos for any mails entering ESA.

Ken Stieers · ‎03-12-2018

The ESA isn't actually that smart... it doesn't know that its the same domain really. What's the message tracking show for one of the incoming mails. Check the HAT entry and policy (see Dennis' message).

Also, are you using split DNS? eg (internal zone for your internet names) and if so, does your internal DNS zone have your DKIM entries?

franz2018 · ‎03-13-2018

ESA (network-> DNS) points to internal DNS-Resolver that is having apropriate TXT records for domain:

me@localhost:~$ dig +short @dns-server-set-up-in-ESAs 18022801._domainkey.domain.de TXT
"v=DKIM1; k=rsa; t=y; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvKlL6vX2kwS7bDMOiLTrfWfsBdq7PVk/yN6Dz8P+n6CypjCF8qJJDvhaS8RSXUaPHPgg2XE8diod8toF56MnMXWnUS6EA/fBqdMeiiqdzgRvD8ds5ex0XEYZ/l/RjCTs4/CpBkWdNnlYXmoVVBBZ9tGfyROMtQtp0VWzj38SwhzluB7YJcVzw1RocOyLHx9XP759XV8N7qjFXL" "yZCKC7preeYIAnkBhGaQosxqTxSuqiYnDWtFu+FSyNObhpbcfjSOQY69E/Yhvn6+NKbIcVkiI890n3kYGA3U6X3ZE9pFRu8g8zLzFDrwCaxZ9W0MLAf0Np4pdOdOUOarUafjIKGQIDAQAB"

franz2018 · ‎03-14-2018

Mon Mar 12 10:40:15 2018 Info: Start MID 5356338 ICID 8761258
Mon Mar 12 10:40:15 2018 Info: MID 5356338 ICID 8761258 From: <user@domain.de>
Mon Mar 12 10:40:15 2018 Info: MID 5356338 ICID 8761258 RID 0 To: <user2@domain.de>
Mon Mar 12 10:40:15 2018 Info: MID 5356338 DMARC: Message from domain domain.de, DMARC pass (SPF aligned True, DKIM aligned False)
Mon Mar 12 10:40:15 2018 Info: MID 5356338 DMARC: Verification passed
Mon Mar 12 10:40:15 2018 Info: MID 5356338 Message-ID '<20180312094015.D2AFA80976@mailserver.cs2.domain.de>'

On console ESA reports DKIM aligned False but for no reasons and not info about DKIM.

Any other mail has at least info about dkim in it:

Mon Mar 12 12:56:24 2018 Info: MID 5356800 DKIM: pass signature verified (d=bla.de s=03122017 i=@bla.de)

marc.luescherFRE · ‎03-17-2018

DKIM alignment false

In order to better point you into the correct direction I would need to better understand some of the mail routing. As an example is mail routing for both parties consolidated via on ESA and have you split incoming and outgoing mail traffic via different interfaces.

DKIM alignment false normally would indicate that the FQDN or header from is not matching your d-tag of the DKIM profile in either all or some cases.

To avoid some of those alignment issues with SPF, DKIM and DMARC we have split our email traffic to dedicated in and outbound gateways to make it easier. Our high volume traffic also needs this now.

franz2018 · ‎03-19-2018

We have outgoing traffic coming from both locations (one with ESA one with regular postfix / linux mailserver).

Both outgoing mailflows are fine and verified successfully for SPF/DKIM/DMARC by random receivers.

The MX-records for our domain point only to the ESAs at head location. Also - receiving mails from random senders can all be verified nicely for SPF/DKIM/DMARC.

Only receiving mails from our sub-location fails with DKIM alignment for unknown reasons if you check the headers i posted previously.

Mathew Huynh · ‎03-22-2018

Hello Franz,

It is a bit strange that the email logs did not show any DKIM verification being done for whatever reason - on that email itself the headers was there information on the DKIM verification being done at the ESA level? or was it just the authentication-results where DMARC was stamped as shared above?

If so; can you double check that ICID and associated mail flow policy and ensure that the DKIM verification is set to enable and also using a DKIM verification profile.

I understand you shared that it is set to ON in an earlier post, but just to double verify this.

I've yet to see situations where DKIM verification was enabled on the mail flow policy yet it doesn't 'do' the verification.

Regards,
Matthew