Brian Reid – Microsoft 365 Subject Matter Expert

Email

Message Header Analyzer and Double DKIM

If you have SMTP email routing that goes through multiple systems, and more than one of these stamps a DKIM header you should get dkim=pass at the receiver.

But if one of these email servers modifies the message body then DKIM for all the previous DKIM signatures will fail. So to resolve this, and not move the message modification only to the initial server, you need to add a new DKIM signature after the message has been modified.

This results in multiple DKIM-Signature headers of which at least one needs to pass for the email to pass DKIM checks. And all this is great and works fine with Exchange Online being the recipient system, but if I look at the headers in the Microsoft Header Analyzer it will report DKIM fails even though it does not:

Message Header Analyser, Summary section. Showing a badge that says "Sender failed DKIM validation" even though it did not.
DKIM Validation warning, even though the validation did not fail

Defender for Office “Explorer” view shows that DKIM passes for these emails – this is correct, but if I paste the headers into the Header Analyser I get FAILS reported, incorrectly.

I see the following in Message Header Analyzer:

Authentication-Results: spf=pass (sender IP is 205.196.x.y) smtp.mailfrom=clientdomain.com; dkim=pass (signature was verified)
header.d=clientdomain.com;dkim=fail (body hash did not verify) header.d=clientdomain.com; dmarc=pass action=none header.from=clientdomain.com; compauth=pass reason=100

And then two DKIM-Signature headers, the first below being the second one added to the email and the second one being the one added first! by M365. (bh= and b= shortened for readability). 

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clientdomain.com; q=dns/txt; s=ironport3; t=1782156788; h=from:to:subject:date:message-id:mime-version; bh=tOCC…w==;

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clientdomain.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vf4X…E=; b=OzrGF…Zg=

The second of these fails because the message is modified downstream from Exchange Online, but is recorded in the same Authentication-Results header as the success. I suspect the Header Analyser tool is reporting a DKIM failure if it just finds “dkim=fail” and ignoring that fact that there is also a “dkim=pass (signature was verified)” in the same Authentication-Results header.

So if you are using the Header Analyzer and have a double (or triple etc) DKIM state, the analyser is not currently returning the correct validation results that Exchange Online will validate to.

Posted

in

, , , , , , ,

by

Brian Reid

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.