Outgoing mail via SMTP Accounts Connectivity (to the same server) gets DKIM-signed twice
Problem reported by Etienne Wilderink - 5/13/2019 at 4:25 AM
Submitted
As a cross-domain merge solution I created an account on domainA and added it to the 'SMTP Account Connectivity' connector at account@domainB. This way I can use domainA as a separate domain (and not an 1:1 alias), I don't have to connect to a dozen of accounts and I can send outgoing mails with both addresses (from the Web UI).

However, when domainA has DKIM signing enabled, the outgoing message is signed twice. The first time before it is send through the localhost->localhost SMTP connection and the second time after it has been received by the domainA account itself and it is processed for outgoing delivery.

Maybe the server thinks it is a local account when the message (from domainA) is created at the domainB account and starts processing it as if it came directly from the remote account at domainA?

The headers from the received mail (at the test address @ gmail.com) contain 2 DKIM Signatures both using the signature key of domainB. Because the first DKIM signature is not valid anymore after signed by the second (change in headers), Gmail marks the DKIM test as failed. I think this means that the server doesn't keep the domains fully separated from each other somewhere in the processing process.

Authentication-Results: mx.google.com;
       dkim=neutral (bad format) header.i=@domainA header.s=8d6d552e9a0a674 header.b=E8BR+Hxr;
       dkim=neutral (bad format) header.i=@domainA header.s=8d6d552e9a0a674 header.b=HPha2Q1e;
       spf=pass (google.com: domain of remoteAccount@domainA designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=remoteAccount@domainA;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=domainA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=domainA; s=8d6d552e9a0a674;
        h=x-exim-id:references:in-reply-to:content-type:mime-version
          :message-id:reply-to:date:subject:to:from;
        bh=4p+YtLVKM9s5EplIBL3MFnF8dNZDR8FJvZ2IdsiISsk=;
        b=E8BR+Hxrbz0JzGMPQ0Sk3ZowmG3uTypM0EL4t+4CMDlCMcXqrRzRpR64po/Q65OQF
          xiW71s2Dp2BjbY+dQqXFyR1xxn/+j9m57z6KfHoc9nUkHMlfZdKVIVkMiL3ZOhVtB
          KNCYp6WlrcFf6Cz/q0Wwp9AtfMtmFUL0vGYJcsdka/ypKtiEKC4QeBrQjRyrZ5ECz
          zEfmFUVfG3Zp9/wt4iOQe1d+IvpVmiT+3viJNtWCG/w8L38ObxYrGQ5o0zLFyIHXP
          3QZQnqDN4YGy929DYM0ONcpt103LkjE+z3olkYS0/RuxMKxoeq1BcuaBh1HxTnz+E
          jHMDFTYQ8p1EGn5yA==
Received: from mx0.mailserverDomain (mx0.mailserverDomain [XXX.XXX.XXX.XXX]) by mx0.mailserverDomain with SMTP (version=Tls12 cipher=Aes256 bits=256);
   Mon, 13 May 2019 13:03:10 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=domainA; s=8d6d552e9a0a674;
        h=references:in-reply-to:content-type:mime-version:message-id
          :reply-to:date:subject:to:from;
        bh=4p+YtLVKM9s5EplIBL3MFnF8dNZDR8FJvZ2IdsiISsk=;
        b=HPha2Q1eXJUlGMN46wQ38agDs9ybNNB2mPCCijhzcaB3xrgfrrEqU8WovskqX1vSe
          g5pLxtMkVkeJ4Fi3HYrOWA0xGta33sMXCJEuN9cN/ZrKh5mqA6PitMzejqQtDZWTP
          u0TXZG2SakPpgoOuATos7zChHT76jzTNWNo8KZL8wq0DF+7GISYKIlsFN95olxCpC
          yGQ4kstB91dAidxbkH/QMFDQov+HvkgPQOdldkhZiQ22L/JYQPqObahBC3uefzuUY
          6xjxwkjABcxEFCDEj7rQDfR1fvuWIvhTbLl+kKFcix9lIMvqPI0LpLZBHPxJaBnI4
          9p04YYt1b8L3qn3Ww==
From: SMTPConnectedAccount <remoteAccount@domainA>
Validation result:
SPF:	PASS with IP XXX.XXX.XXX.XXX
DKIM:	'FAIL' with domain domainA
DMARC:	'PASS'

Reply to Thread