EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 22 Feb 2017, 06:23 PM   #1
JeroenAlmere
Junior Member
 
Join Date: Feb 2017
Location: Almere, Netherlands
Posts: 2
Gmail gives a dkim=fail on the original header after forwarding

Hi dear email geeks!

I'm having an issue with gmail saying that the original DKIM is failing after the message is being forwarded (using SRS).

The situation is as follows:
- I receive an email on my host: analyze.email (from e.firstdomain.nl)
- Authentication on SPF, DKIM (and DMARC) are valid (for e.firstdomain.nl)
- It is being forwarded to gmail (with SRS and DKIM on analyze.email)
- Gmail is throwing me an DKIM=fail on the DKIM fore.firstdomain.nl and pass on DKIM/SPF (due SRS) for analyze.email.

a part of the headers (by gmail):
Code:
Return-Path: <SRS0=erKM=2D=e.firstdomain.nl=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@analyze.email>
Received: from analyze.email (analyze.email. [85.214.255.71])
        by mx.google.com with ESMTPS id y84si1819965wmg.16.2017.02.22.01.08.41
        for <mygmailbox@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Feb 2017 01:08:41 -0800 (PST)
Received-SPF: pass (google.com: domain of srs0=erkm=2d=e.firstdomain.nl=bounce-staging1-44omnupz45zh_jb-w1cb03q@analyze.email designates 85.214.255.71 as permitted sender) client-ip=85.214.255.71;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@analyze.email;
       dkim=fail header.i=@e.firstdomain.nl;
       spf=pass (google.com: domain of srs0=erkm=2d=e.firstdomain.nl=bounce-staging1-44omnupz45zh_jb-w1cb03q@analyze.email designates 85.214.255.71 as permitted sender) smtp.mailfrom=SRS0=erKM=2D=e.firstdomain.nl=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@analyze.email
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=analyze.email; s=default; t=1487754520; bh=jG6BhcoL2j0c3l/jRQRQa+I3DIGLfvBkXnvXBn4WpYY=; l=31123; h=Received:Received:Received:From:Subject:To; b=VX58a3V3tv77qWz7LjzrJEfK3NqglC2GKeKPABV3NKrv13D3ffgT8AfxF8hS6Ot8K
	 XAEq371NrZF5dPRIKw5qmK8A+NXceuTN/BFWjG0G7GV9AXwaj4K6qsPsfeGy+lvWW2
	 ZLtP37yx9mSLdwlPZ64RrMYEJ/2nQl0tuqE3qBEk=
Authentication-Results: analyze.email; dkim=pass (good signature) header.i=bounce-staging1-44OMnUpZ45zH_Jb-w1Cb03Q@e.firstdomain.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=feb2015; d=e.firstdomain.nl; h=Content-Transfer-Encoding:From:Subject:To:List-Unsubscribe:MIME-Version:Content-Type:Message-Id:Date; i=nieuwsbrief@e.firstdomain.nl;
  bh=jG6BhcoL2j0c3l/jRQRQa+I3DIGLfvBkXnvXBn4WpYY=; b=Mp6se7mCc4AcSgNvETAzAwtaep/crk+9b8+eMjNFKsY7aZ52YfGZbxL6Pdo/Bgx71zZDmUriJmS1 qeTNnYq5C/VJziLTFRs0M284qhq8mFFWF+36BY4QpwAzTgjpfZAEEcLJKTPsRWK6xvALywSdOEXQ cmCE99Pf7n1L1UH/+Lp3oLu7k5aZiNgxsJCL98sB6FTeef7Sc5qnv+MoFT3qFU4ot9LrMhRNccUj M4ReHGDl+0434JeQ4GclNRluwBHMe86t/9sFIxmpAW8yWMRjQMGslA/BPDIZfi8p0AzlQQ8siHlP 7mHYVJjB2icddwR1JWm6ixmq7LjQidpRNEa7ug==
(the original domain is altered to 'e.firstdomain.nl', the selector is valid and DKIM passed in the mailbox before forwarding it to gmail)

Any ideas how to fix the above?
JeroenAlmere is offline   Reply With Quote

Old 23 Feb 2017, 03:34 PM   #2
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,178
Welcome to the EMD Forums!

Forwarding tends to break modern email security checks. SPF may pass if SRS is used to rewrite the Return-Path (envelope-From), but DMARC will fail the SPF result because the From address isn't aligned. DKIM usually works as long as the original headers which were signed (in the h= list) and message body are not altered.

My guess is that the forwarder is altering some signed header or the message body. For example, my experience is that outlook.com redirection breaks DKIM due to message alterations and of course forwarded SPF will fail DMARC alignment, so I can't forward messages sent from my personal domain through outlook.com to Gmail if I set my DMARC policy to strict (p=reject).

My suggestion is to use the following free DKIM signature test tool. It will generate a unique email address, and you send a test message to that email address to check your DKIM signing. If you are using forwarding, this means that you must temporarily change the forwarding destination to the temporary test address. Here is the tool:
http://www.appmaildev.com/en/dkim

That tool shows that a direct email from my normal email system (where my personal domain is hosted) has a good DKIM, but that forwarding through outlook.com produces a bad body hash. So outlook.com forwarding is modifying the message body in some manner which causes DKIM to fail.

Bill
n5bb is offline   Reply With Quote
Old 23 Feb 2017, 04:17 PM   #3
JeroenAlmere
Junior Member
 
Join Date: Feb 2017
Location: Almere, Netherlands
Posts: 2
Hi Bill,

thank you so much for your kind reply.
I've tried the tool on appmaildev.com, thank you for pointing me to this service.

As expected: The SPF and DKIM on the domain which does the forwarding (analyze.email) matches both. (also the PTR and there are no blacklistings). It doesn't mention anything about the DKIM of the original domain (before forwarding)
The case is still that the original DKIM of the domain (not being analyze.email) fails after the forward (and then so does DMARC).

Do you guys have any advice about this case and perhaps a way to find out if and on which way headers or the message body is being altered by the forwarding process?
For your information: it is a simple configured forwarding email account configured within Plesk Onyx.
JeroenAlmere is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 07:38 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy