Hi All, let me first try to schematize our setup :
O365 TENANT --> LINUX POSTFIX ( for sender based routing ) --> CISCO ESA ( DKIM signing )--> OUTSIDE WORLD
When a mail is sent from one of our email domains in our O365 tenant ( and DKIM signing is not enabled there ) , it goes through our postfix ( in postfix we have sender based rules ), we then route through our cisco's ( where we sign DKIM ) to the internet
If we sent out an email to a non O365 customer in the big big bad world, like gmail , DKIM is PASS
--> dkim=pass header.i=@domainx.be header.s=selector-x header.b=RFxvGv4P;
If we sent out an email to a O365 customer ( also the public one hotmail.com ) , DKIM is FAIL
--> dkim=fail (signature did not verify) header.d=domainx.be;hotmail.com; dmarc=pass action=none header.from=domainx.be;compauth=pass reason=100
--> dkim=fail (signature did not verify) header.d=domainx.be;o365Extdomain.be; dmarc=pass action=none header.from=domainx.be;compauth=pass reason=100
Why I don't know......
Anyone else has seen this ?? I know MS started to use ARC in October 2019....
The result is that some O365 customers get our mails in phishing quarantaine, spam, or rejects etc.....
we use seperate dkim signing profiles on our cisco's, key length is 2048 nothing special
