Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
0
Helpful
3
Replies

ESA not signing all messages with DKIM

tminchin
Level 1
Level 1

‎12-29-2023 08:50 PM - edited ‎12-29-2023 09:07 PM

hi - we have an odd one we have been tracking. We are starting to find domains which reject our emails with DMARC failures.

Our outbound email is signed by the ESA with it's own DKIM key and you can see it for example with gmail.com. However, our email is also DKIM signed by our O365 tenant with the onmicrosoft.com domain. This is fine to have emails with two DKIM signatures in the headers.

However, some destination domains it appears the ESA does NOT put our DKIM signature into the headers (just leaving the O365 onmicrosoft.com DKIM header - which fails as we regard our O365 tenant as an internal email server). I'm not 100% on the theory it is not signing the DKIM key as the outgoing logs say it is signing it (and it's hard to determine via the bounce message as I think the bounce message is the incoming message prior to signing by the ESA?).  The email is rejected for example:

Remote server returned '554 5.0.0 <[203.42.40.138] #5.0.0 smtp; 5.3.0 - Other mail system problem 550-'5.7.0 Mail is unauthenticated and has been blocked. The sender must\n5.7.0 authenticate with both SPF and DKIM. IB716\n5.7.0 i{7218dcc0-359f-451b-b459-0b409f85663f}' (delivery attempts: 0)>'

We'll log a case in the new year but has anyone seen similar and maybe just a configuration error?

My other theory is that "some" mail servers can't cope with two DKIM headers and just read the first one (the O365 one) and reject instantly.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎12-30-2023 06:36 AM

Check the list of servers in the headers of mail that is failing.
We had a similar issue with mail that was going to O365 tenants got delivered "outbound" by O365, instead of our ESAs.
We were supposed to be using "Centralized Mail Transport", but that check box got moved in the latest versions of the AAD Connect tool so it wasn't checked.
Ours showed up as SPF failures because O365 shouldn't be sending mail as us, only the ESAs should.
0 Helpful

tminchin
Level 1
Level 1
In response to Ken Stieers

‎12-30-2023 12:50 PM - edited ‎12-31-2023 01:34 PM

We have had that issue in the past but it is definitely being delivered by the ESA s to the third party

0 Helpful

tminchin
Level 1
Level 1

‎01-02-2024 07:09 PM

Turned out to be an third party issue (see https://forums.whirlpool.net.au/thread/3m01zjy6). They were inspecting email and binning emails which had failed DKIM signed headers in them. However, we will try to remove our onmicrosoft.com DKIM header from any outbound email (as the ESA sign them appropriately).

0 Helpful
Customers Also Viewed These Support Documents