Gmail gives a dkim=fail on the original header after forwarding
Hi dear email geeks!
I'm having an issue with gmail saying that the original DKIM is failing after the message is being forwarded (using SRS). The situation is as follows: - I receive an email on my host: analyze.email (from e.firstdomain.nl) - Authentication on SPF, DKIM (and DMARC) are valid (for e.firstdomain.nl) - It is being forwarded to gmail (with SRS and DKIM on analyze.email) - Gmail is throwing me an DKIM=fail on the DKIM fore.firstdomain.nl and pass on DKIM/SPF (due SRS) for analyze.email. a part of the headers (by gmail): Code:
Return-Path: <SRS0=erKM=2D=e.firstdomain.nl=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@analyze.email> Any ideas how to fix the above? |
Welcome to the EMD Forums! :)
Forwarding tends to break modern email security checks. SPF may pass if SRS is used to rewrite the Return-Path (envelope-From), but DMARC will fail the SPF result because the From address isn't aligned. DKIM usually works as long as the original headers which were signed (in the h= list) and message body are not altered. My guess is that the forwarder is altering some signed header or the message body. For example, my experience is that outlook.com redirection breaks DKIM due to message alterations and of course forwarded SPF will fail DMARC alignment, so I can't forward messages sent from my personal domain through outlook.com to Gmail if I set my DMARC policy to strict (p=reject). My suggestion is to use the following free DKIM signature test tool. It will generate a unique email address, and you send a test message to that email address to check your DKIM signing. If you are using forwarding, this means that you must temporarily change the forwarding destination to the temporary test address. Here is the tool: http://www.appmaildev.com/en/dkim That tool shows that a direct email from my normal email system (where my personal domain is hosted) has a good DKIM, but that forwarding through outlook.com produces a bad body hash. So outlook.com forwarding is modifying the message body in some manner which causes DKIM to fail. Bill |
Hi Bill,
thank you so much for your kind reply. I've tried the tool on appmaildev.com, thank you for pointing me to this service. As expected: The SPF and DKIM on the domain which does the forwarding (analyze.email) matches both. (also the PTR and there are no blacklistings). It doesn't mention anything about the DKIM of the original domain (before forwarding) The case is still that the original DKIM of the domain (not being analyze.email) fails after the forward (and then so does DMARC). Do you guys have any advice about this case and perhaps a way to find out if and on which way headers or the message body is being altered by the forwarding process? For your information: it is a simple configured forwarding email account configured within Plesk Onyx. |
All times are GMT +9. The time now is 12:03 PM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy