Go Back > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Thread Tools
Old 22 Feb 2017, 06:23 PM   #1
Junior Member
Join Date: Feb 2017
Location: Almere, Netherlands
Posts: 2
Gmail gives a dkim=fail on the original header after forwarding

Hi dear email geeks!

I'm having an issue with gmail saying that the original DKIM is failing after the message is being forwarded (using SRS).

The situation is as follows:
- I receive an email on my host: (from
- Authentication on SPF, DKIM (and DMARC) are valid (for
- It is being forwarded to gmail (with SRS and DKIM on
- Gmail is throwing me an DKIM=fail on the DKIM and pass on DKIM/SPF (due SRS) for

a part of the headers (by gmail):
Return-Path: <>
Received: from ( [])
        by with ESMTPS id y84si1819965wmg.16.2017.
        for <>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Feb 2017 01:08:41 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
       spf=pass ( domain of designates as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1487754520; bh=jG6BhcoL2j0c3l/jRQRQa+I3DIGLfvBkXnvXBn4WpYY=; l=31123; h=Received:Received:Received:From:Subject:To; b=VX58a3V3tv77qWz7LjzrJEfK3NqglC2GKeKPABV3NKrv13D3ffgT8AfxF8hS6Ot8K
Authentication-Results:; dkim=pass (good signature)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=feb2015;; h=Content-Transfer-Encoding:From:Subject:To:List-Unsubscribe:MIME-Version:Content-Type:Message-Id:Date;;
  bh=jG6BhcoL2j0c3l/jRQRQa+I3DIGLfvBkXnvXBn4WpYY=; b=Mp6se7mCc4AcSgNvETAzAwtaep/crk+9b8+eMjNFKsY7aZ52YfGZbxL6Pdo/Bgx71zZDmUriJmS1 qeTNnYq5C/VJziLTFRs0M284qhq8mFFWF+36BY4QpwAzTgjpfZAEEcLJKTPsRWK6xvALywSdOEXQ cmCE99Pf7n1L1UH/+Lp3oLu7k5aZiNgxsJCL98sB6FTeef7Sc5qnv+MoFT3qFU4ot9LrMhRNccUj M4ReHGDl+0434JeQ4GclNRluwBHMe86t/9sFIxmpAW8yWMRjQMGslA/BPDIZfi8p0AzlQQ8siHlP 7mHYVJjB2icddwR1JWm6ixmq7LjQidpRNEa7ug==
(the original domain is altered to '', the selector is valid and DKIM passed in the mailbox before forwarding it to gmail)

Any ideas how to fix the above?
JeroenAlmere is offline   Reply With Quote

Old 23 Feb 2017, 03:34 PM   #2
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,325
Welcome to the EMD Forums!

Forwarding tends to break modern email security checks. SPF may pass if SRS is used to rewrite the Return-Path (envelope-From), but DMARC will fail the SPF result because the From address isn't aligned. DKIM usually works as long as the original headers which were signed (in the h= list) and message body are not altered.

My guess is that the forwarder is altering some signed header or the message body. For example, my experience is that redirection breaks DKIM due to message alterations and of course forwarded SPF will fail DMARC alignment, so I can't forward messages sent from my personal domain through to Gmail if I set my DMARC policy to strict (p=reject).

My suggestion is to use the following free DKIM signature test tool. It will generate a unique email address, and you send a test message to that email address to check your DKIM signing. If you are using forwarding, this means that you must temporarily change the forwarding destination to the temporary test address. Here is the tool:

That tool shows that a direct email from my normal email system (where my personal domain is hosted) has a good DKIM, but that forwarding through produces a bad body hash. So forwarding is modifying the message body in some manner which causes DKIM to fail.

n5bb is offline   Reply With Quote
Old 23 Feb 2017, 04:17 PM   #3
Junior Member
Join Date: Feb 2017
Location: Almere, Netherlands
Posts: 2
Hi Bill,

thank you so much for your kind reply.
I've tried the tool on, thank you for pointing me to this service.

As expected: The SPF and DKIM on the domain which does the forwarding ( matches both. (also the PTR and there are no blacklistings). It doesn't mention anything about the DKIM of the original domain (before forwarding)
The case is still that the original DKIM of the domain (not being fails after the forward (and then so does DMARC).

Do you guys have any advice about this case and perhaps a way to find out if and on which way headers or the message body is being altered by the forwarding process?
For your information: it is a simple configured forwarding email account configured within Plesk Onyx.
JeroenAlmere is offline   Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

All times are GMT +9. The time now is 03:29 AM.


Copyright 1998-2013. All Rights Reserved. Privacy Policy