EmailDiscussions.com - View Single Post - Gmail gives a dkim=fail on the original header after forwarding

n5bb · 23 Feb 2017, 03:34 PM

Welcome to the EMD Forums!

Forwarding tends to break modern email security checks. SPF may pass if SRS is used to rewrite the Return-Path (envelope-From), but DMARC will fail the SPF result because the From address isn't aligned. DKIM usually works as long as the original headers which were signed (in the h= list) and message body are not altered.

My guess is that the forwarder is altering some signed header or the message body. For example, my experience is that outlook.com redirection breaks DKIM due to message alterations and of course forwarded SPF will fail DMARC alignment, so I can't forward messages sent from my personal domain through outlook.com to Gmail if I set my DMARC policy to strict (p=reject).

My suggestion is to use the following free DKIM signature test tool. It will generate a unique email address, and you send a test message to that email address to check your DKIM signing. If you are using forwarding, this means that you must temporarily change the forwarding destination to the temporary test address. Here is the tool:
http://www.appmaildev.com/en/dkim

That tool shows that a direct email from my normal email system (where my personal domain is hosted) has a good DKIM, but that forwarding through outlook.com produces a bad body hash. So outlook.com forwarding is modifying the message body in some manner which causes DKIM to fail.

Bill

23 Feb 2017, 03:34 PM	#2
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	Welcome to the EMD Forums! Forwarding tends to break modern email security checks. SPF may pass if SRS is used to rewrite the Return-Path (envelope-From), but DMARC will fail the SPF result because the From address isn't aligned. DKIM usually works as long as the original headers which were signed (in the h= list) and message body are not altered. My guess is that the forwarder is altering some signed header or the message body. For example, my experience is that outlook.com redirection breaks DKIM due to message alterations and of course forwarded SPF will fail DMARC alignment, so I can't forward messages sent from my personal domain through outlook.com to Gmail if I set my DMARC policy to strict (p=reject). My suggestion is to use the following free DKIM signature test tool. It will generate a unique email address, and you send a test message to that email address to check your DKIM signing. If you are using forwarding, this means that you must temporarily change the forwarding destination to the temporary test address. Here is the tool: http://www.appmaildev.com/en/dkim That tool shows that a direct email from my normal email system (where my personal domain is hosted) has a good DKIM, but that forwarding through outlook.com produces a bad body hash. So outlook.com forwarding is modifying the message body in some manner which causes DKIM to fail. Bill