EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   The Technical Zone... (http://www.emaildiscussions.com/forumdisplay.php?f=15)
-   -   Gmail gives a dkim=fail on the original header after forwarding (http://www.emaildiscussions.com/showthread.php?t=72511)

JeroenAlmere 22 Feb 2017 06:23 PM
Gmail gives a dkim=fail on the original header after forwarding
 
Hi dear email geeks!

I'm having an issue with gmail saying that the original DKIM is failing after the message is being forwarded (using SRS).

The situation is as follows:
- I receive an email on my host: analyze.email (from e.firstdomain.nl)
- Authentication on SPF, DKIM (and DMARC) are valid (for e.firstdomain.nl)
- It is being forwarded to gmail (with SRS and DKIM on analyze.email)
- Gmail is throwing me an DKIM=fail on the DKIM fore.firstdomain.nl and pass on DKIM/SPF (due SRS) for analyze.email.

a part of the headers (by gmail):
Code:
Return-Path: <SRS0=erKM=2D=e.firstdomain.nl=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@analyze.email>
Received: from analyze.email (analyze.email. [85.214.255.71])
        by mx.google.com with ESMTPS id y84si1819965wmg.16.2017.02.22.01.08.41
        for <mygmailbox@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Feb 2017 01:08:41 -0800 (PST)
Received-SPF: pass (google.com: domain of srs0=erkm=2d=e.firstdomain.nl=bounce-staging1-44omnupz45zh_jb-w1cb03q@analyze.email designates 85.214.255.71 as permitted sender) client-ip=85.214.255.71;
Authentication-Results: mx.google.com;
      dkim=pass header.i=@analyze.email;
      dkim=fail header.i=@e.firstdomain.nl;
      spf=pass (google.com: domain of srs0=erkm=2d=e.firstdomain.nl=bounce-staging1-44omnupz45zh_jb-w1cb03q@analyze.email designates 85.214.255.71 as permitted sender) smtp.mailfrom=SRS0=erKM=2D=e.firstdomain.nl=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@analyze.email
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=analyze.email; s=default; t=1487754520; bh=jG6BhcoL2j0c3l/jRQRQa+I3DIGLfvBkXnvXBn4WpYY=; l=31123; h=Received:Received:Received:From:Subject:To; b=VX58a3V3tv77qWz7LjzrJEfK3NqglC2GKeKPABV3NKrv13D3ffgT8AfxF8hS6Ot8K
        XAEq371NrZF5dPRIKw5qmK8A+NXceuTN/BFWjG0G7GV9AXwaj4K6qsPsfeGy+lvWW2
        ZLtP37yx9mSLdwlPZ64RrMYEJ/2nQl0tuqE3qBEk=
Authentication-Results: analyze.email; dkim=pass (good signature) header.i=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@e.firstdomain.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=feb2015; d=e.firstdomain.nl; h=Content-Transfer-Encoding:From:Subject:To:List-Unsubscribe:MIME-Version:Content-Type:Message-Id:Date; i=nieuwsbrief@e.firstdomain.nl;
  bh=jG6BhcoL2j0c3l/jRQRQa+I3DIGLfvBkXnvXBn4WpYY=; b=Mp6se7mCc4AcSgNvETAzAwtaep/crk+9b8+eMjNFKsY7aZ52YfGZbxL6Pdo/Bgx71zZDmUriJmS1 qeTNnYq5C/VJziLTFRs0M284qhq8mFFWF+36BY4QpwAzTgjpfZAEEcLJKTPsRWK6xvALywSdOEXQ cmCE99Pf7n1L1UH/+Lp3oLu7k5aZiNgxsJCL98sB6FTeef7Sc5qnv+MoFT3qFU4ot9LrMhRNccUj M4ReHGDl+0434JeQ4GclNRluwBHMe86t/9sFIxmpAW8yWMRjQMGslA/BPDIZfi8p0AzlQQ8siHlP 7mHYVJjB2icddwR1JWm6ixmq7LjQidpRNEa7ug==
(the original domain is altered to 'e.firstdomain.nl', the selector is valid and DKIM passed in the mailbox before forwarding it to gmail)

Any ideas how to fix the above?

n5bb 23 Feb 2017 03:34 PM
Welcome to the EMD Forums! :)

Forwarding tends to break modern email security checks. SPF may pass if SRS is used to rewrite the Return-Path (envelope-From), but DMARC will fail the SPF result because the From address isn't aligned. DKIM usually works as long as the original headers which were signed (in the h= list) and message body are not altered.

My guess is that the forwarder is altering some signed header or the message body. For example, my experience is that outlook.com redirection breaks DKIM due to message alterations and of course forwarded SPF will fail DMARC alignment, so I can't forward messages sent from my personal domain through outlook.com to Gmail if I set my DMARC policy to strict (p=reject).

My suggestion is to use the following free DKIM signature test tool. It will generate a unique email address, and you send a test message to that email address to check your DKIM signing. If you are using forwarding, this means that you must temporarily change the forwarding destination to the temporary test address. Here is the tool:
http://www.appmaildev.com/en/dkim

That tool shows that a direct email from my normal email system (where my personal domain is hosted) has a good DKIM, but that forwarding through outlook.com produces a bad body hash. So outlook.com forwarding is modifying the message body in some manner which causes DKIM to fail.

Bill

JeroenAlmere 23 Feb 2017 04:17 PM
Hi Bill,

thank you so much for your kind reply.
I've tried the tool on appmaildev.com, thank you for pointing me to this service.

As expected: The SPF and DKIM on the domain which does the forwarding (analyze.email) matches both. (also the PTR and there are no blacklistings). It doesn't mention anything about the DKIM of the original domain (before forwarding)
The case is still that the original DKIM of the domain (not being analyze.email) fails after the forward (and then so does DMARC).

Do you guys have any advice about this case and perhaps a way to find out if and on which way headers or the message body is being altered by the forwarding process?
For your information: it is a simple configured forwarding email account configured within Plesk Onyx.


All times are GMT +9. The time now is 12:03 PM.


Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy